in Technology

OpenID and why it matters

openid-logoLogging into websites have always been a pain if you want to stay somewhat secure. One could either use the same username and password everywhere or choose from a few remembered passwords. The next best thing is to use some kind of password manager, such as the one built into most modern web browsers or perhaps 1Password.

Another way of looking at online identities is the concept of one central hub – you. Think of it as your “home”, a place for your identity. This identity could then be used to authenticate you on any supported site, without requiring a password or even a username, provided that all required information has been entered into the central hub profile beforehand, such as your full name and username.

This is exactly how OpenID works! It acts as a central hub for your online identity and lets you login to all OpenID enabled websites without having to come up with a new password each time (or worse, use the same password). What makes OpenID work is simplicity; it is not that hard to grasp or explain the concept of an online identity hub and using an URL to identify yourself with.

A huge benefit of OpenID is that it is completely decentralized. This basically means that anyone can set up their own OpenID provider, and there are already lots of open libraries available to make this as painless as possible. This means that if you don’t trust anyone to hold your personal identity, just get a domain name and set one up for yourself, and use any type of authentication you want to identify yourself to your own hub. You can even use X509 certificates or OTP for this purpose if you want.

As for security, make sure to use HTTPS for the provider to protect against man-in-the-middle and replay attacks. The other important security issue are phishing attacks, where users would enter their credentials on a third-party server instead of their own. Using client certificates or making it mandatory to already be logged in before executing a request would however make this a non-issue. Other than that, the ordinary web problems remain, such as bugs in the OpenID libraries and other attack vectors.

If one would be able to gain access to your OpenID provider, he would have access to all authenticated sites. To put this in context however, look at your email account. If one were to gain access to your email, he would undoubtedly have means to access most of your sites anyway because of the password recovery feature.

Chances are that you already have an OpenID identity without even knowing! Lots of big websites provide this service, and it is even possible to roll you own as mentioned above, or even install a plugin for you very own WordPress blog to enable this feature. If you have your own fancy domain but no means to setup an OpenID provider, fear not, there is support for delegation, meaning that you can delegate the authentication to another provider, while still providing your own domain for authentication to the target website.