Tag Archives: windows live id

Myths about OpenID and digital identities

I’m really on a roll the past few days with blog posts on digital identity.  My new love is e-commerce with my work on Windows Marketplace, but it’s hard to ignore the recent waves in “big” news in the digital identity world.  Given my expertise in the area, I can’t help but give my 2 cents (or 4 cents :)).

After reading all the blogs entries and resulting comments on sites like TechCrunch, there is a lot of confusion on the significance, or lack thereof, of all these recent announcements (Google, Microsoft) around new OpenID providers.

First, let’s define a few terms:

Identity Provider: An Identity Provider is an entity that issues identities and resulting credentials used to authenticate as that identity.  These are almost always an email address and password combination.  Example of this is Microsoft issuing Windows Live IDs (e.g. [email protected] or [email protected]) with a password.

Relying Party: A Relying Party is a site or service that accepts assertions of a user’s identity from a specific Identity Provider. This term is always used in conjunction with the name of an identity provider.  For example, a site that is a “Windows Live ID relying party” accept identity assertions from Windows Live ID.

OpenID Provider: An OpenID Provider is an Identity Provider that interoperates with OpenID.  It enables users with identities it has issued to authenticate to services that accept OpenIDs.  It does this by authentication a user’s credentials, then issuing a proof of that authentication (commonly referred to as a service ticket) that the user can present to a service that accepts OpenIDs.

OpenID Relying Party: Refers to a site or service that accepts user identity assertions from an OpenID Provider.

Now that we’ve gotten terminology out of the way here are several myths that are prevalent in many online discussions about digital identities, and in particular, discussions about OpenID:

Myth: Becoming an OpenID provider makes you more “open”.

Fact: By becoming OpenID providers, an identity provider just allows all of its users to access OpenID sites. So technically, they aren’t more open in the traditional sense since they didn’t grant access to it’s services to any more users than it already had.  It just allowed their users to access the services outside of its control, namely, OpenID relying parties like Plaxo.  So in reality, becoming an OpenID provider is really a greedy strategy by (1) letting your users access more, and (2) jumping on the bandwagon to not only ride a good press wave, but also to hopefully encourage more users to use you as an identity provider.

Myth: Becoming a Relying Party disempowers a site’s native identity provider since it no longer hold it’s user information (think Gmail to Google, or Flickr to Yahoo).

Fact: This is not true. In fact, by becoming a relying party, there are very few risks and you still have the ability to hold all the user information accumulated on service usage.  Becoming an OpenID provider or relying party, does not imply that you need to share a user’s profile with any other service.  The only risk in becoming a relying party is if you accept assertions from an identity provider that doesn’t legitimately authenticate the user’s identity.  Imagine accepting identity assertions from an Identity Provider that didn’t use passwords, and all you did was enter an email address to be authenticated.  You wouldn’t be able to trust that the user really was [email protected] when the assertion was presented to you

Myth: All the recent OpenID news about these new OpenID providers will solve all the digital identity problems.

Fact: As mentioned the other day, it doesn’t really matter how many OpenID providers there are. The real issue at hand is how many OpenID Relying Parties exist.  Right now, there are very few which makes the utility of OpenID very low and just makes for good PR talking points.  It will be monumental when you see all the Google, Yahoo and Microsoft services becoming OpenID Relying Parties.

Myth: OpenID is more secure than Windows Live ID (or any other identity provider).

Fact: First, this statement doesn’t make sense since OpenID is essentially just a set of protocols, and Windows Live ID is an identity provider.  If the real statement is that an OpenID provider is more secure than a non-OpenID provider, then unfortunately. that is also incorrect.

From the eyes of the consumer, the security of an identity provider really has nothing to do with the underlying protocols that are used.  They just know where to go to authentication and how to authentication. This is why fewer Identity Providers are good because we reduce the risk of phishing scams where users unknowingly give their credentials to a malicious party.

The security of an identity provider is really about the security of the credentials used to assert a user’s identity. The great thing about OpenID is that since it is an open system and since anyone can become an Identity Provider, it paves the way for there to be competition and natural selection to occur among Identity Providers.  With OpenID, we’ve seen the rise some fantastic security solutions that will make a real impact with customers when we have more OpenID relying parties.  For example, investments by VeriSign in 2-factor auth, gives me a lot of hope that other Identity Providers will follow suit.  This will force the entire industry to not only increase the level and expectation of security, but also make it easier to use for the everyday user.

Windows Live ID supports OpenID

Nearly 2 years ago, Bill Gates mentioned in a keynote that Microsoft would support OpenID and gave a broad signal to the industry that we would start seeing convergence in the digital identity space.

My old team, Windows Live ID, just announced today that they are officially becoming an OpenID provider.  In plain terms, this means you will soon be able to use your Windows Live ID to sign into any OpenID relying party.  This partnership is great for every party involved.  Microsoft benefits from increasing utility of Windows Live ID at sites and services that usually shun anything from Redmond.  OpenID benefits from another boost in credibility as well as exposing OpenID relying parties to over 400M Windows Live ID users.

The last few years has seen a lot of movement in the Identity 2.0 space.  Windows Live ID opened up through their Web Authentication and Card space, Facebook launched Facebook Connect, and in the not-so-reclusive shadows, OpenID was making tremendous progress to become the defacto protocol used for end-user authentication on the web. OpenID got on people’s radar with an onslaught With higher profile adoptions on services like Yahoo, Plaxo, AOL, WordPress and even VeriSign.  It also helped that OpenID wasn’t from Microsoft 🙂

It is only natural for there to be an eventual consolidation and convergence in the user identity space.  It just doesn’t make sense from a user’s perspective to have different credentials all representing the same person.  What user’s really care about is convenience with the ability to control privacy of any information that is disclosed.  If you look at the history of the consumer credit card market, it isn’t a coincidence that there are 3 credit card types that make up the lion’s share of the market – Visa, Mastercard and American Express.  More than that increases complexity for Merchants, and in itself will squeeze out the least popular cards (e.g. Diner’s Club and Discover).

Extending that example to the digital identity space, it also doesn’t scale to “internet size” to have the endless identity providers that we have seen.  In order to scale reliably, it only  makes sense to have a smaller set of authorities be entrusted to assert claims over a group of users.  In the real world, this is equivalent to how driver’s licenses are issued.  There isn’t an adhoc number of authorities that issue driver’s licenses. Imagine what that would be like when you showed your ID at a pub for a beer.  In order to “trust” the claims that are asserted by your driver’s license (namely, your age), it would also have to trust the party that issued the license.  If the pub blindly trusted any authority, then it would degrade the trust of any claim made in the system since the value of all identities would erode due to forgeries.  This is why the Department of Motor Vehicles (DMV) exists in the USA.  For each state, there is a single authority granted the power to issue driver’s license and relying parties that need to verify identity claims based on driver’s licenses need to only really trust the state-level DMV.  If claims are asserted on an ID issued by another state, relying parties (pubs, bars, etc) will look for  a way to validate the legitimacy of the authority (DMV) by looking for a hologram on the driver’s license.  This has shown to scale extremely well, and is essentially the same model that Country Passports follow.

The partnership between Windows Live ID and Open ID is great for customers and services alike, because this brings us one big step closer to having broader scale convergence for digital identities.  I see in the not-so-distant future a place where there are a handful of extremely trustworthy identity providers that are able to assert very high quality claims about users that they are able to control.

This partnership is the first step towards that magical place.  It’s definitely an uphill battle for the remaining identity providers, since issuing identities and having all that information about the users is a very lucrative spot to be in.  Each step towards further convergence will be harder to take, until we get to a point that each identity provider is extremely valuable and necessary because there is either a need from a relying party or user level.

I’m excited to see what’s next.

Microsoft opens up Windows Live ID

It’s great to see that my old team has been humming away and have come out with a pretty big announcement. They’ve opened up Windows Live ID so 3rd party websites can use it for their authentication and integration with Windows Live authenticated services, much like Google and Yahoo’s offerings. 

It’s a bit late to the game, but better late than never!  It’s fantastic to see they even have sample implementations in Ruby, Python, Perl and PHP!

From the Windows Live ID team blog:

The benefits of incorporating Windows Live ID into your Web site include:

· The ability to use Windows Live gadgets, APIs and controls to incorporate authenticated Windows Live services into your site.

· An HTTP-based, platform-neutral interface for implementing Windows Live ID authentication in your existing site, even if it is hosted by a third-party.

· Ability to make authentication and Windows Live integration easy for over 380 million consumers.

Check out the details in the SDK documentation or download the quick-start application if you’re interested in learning more.

Thoughts on OpenID

There has been a ton of talk lately on OpenID, especially since it has seemingly gained inroads with a lot of major industry players such as Microsoft, Verisign and AOL. Heck, even Digg is planning on supporting it.

Michael Arrington of TechCrunch recently said:

It’s definitely time to declare OpenID a winner and the hope for a single-sign on world a reality.

When you read commentary by supporters of OpenID and the resulting press you can’t help by get the impression that it’s the savior of the internet and finally solves the authentication problems for users on the web. Some of the stated advantages:

  1. De-centralized — you don’t have have to trust a single authority like Google or Microsoft.
  2. Tiered authentication — websites that require stronger authentication can get users to sign in with a strong credential. It’s built into the protocol.
  3. URL-based — you can keep your email address private and it saves you time when trying out new sites and services (you already know your ID is unique since no one else is using your URL identifier)
  4. Multiple identities made easy — you can have multiple identities by using different URLs

The list goes on and on… When I read the above list, you can call me skeptical to say the least.

Continue reading “Thoughts on OpenID” »

Windows Live ID client SDK released

My old team, Windows Live ID, just released the much anticipated SDK for connected rich-clients in an alpha release.  Strange that this big news hasn’t been mentioned on their team blog or on Dev.live.com yet.

“We are excited to introduce the alpha version of Windows Live ID for client applications!
The Windows Live ID Client 1.0 SDK provides a managed API for Windows Live sign-in authentication. Included in the release is a sample application with its source code, so that you can build your own client applications.

The benefits of implementing the Windows Live ID authentication service include:

  • No need to worry about the technical details of authentication! The Windows Live ID authentication service manages this process for you.
  • Don’t bother worrying about how to store and retrieve user account information! The Windows Live ID service uses the same functionality as Messenger to cache the user name and/or password for use in subsequent user sign ins.
  • Forget about creating, storing, and maintaining user accounts! The Windows Live ID service hosts and manages the Web flows and account services to enable account sign up, credential viewing and updating, and profile management.
  • Gain hundreds of millions of potential users of your application! By enabling Windows Live accounts direct sign in to your application, anyone with a Windows Live ID can become a user of your product.”

You can download the SDK here: https://connect.microsoft.com/site/sitehome.aspx?SiteID=347.  Send me links to any cool applications you create with it!