Sunday, February 3, 2008

OpenID


Did you ever get sick of making up a user name and password to each and every one of those websites where you have to have user names and passwords? A lot of folks try to simplify by using the same id and pass on every site, but that's dangerous, because if just one site is compromised or untrustworthy, the bad guy can guess your login at all the others. Wouldn't it be great if you had a SINGLE secure identity that was recognized all over the internet without requiring each site to know your password? Now you can --it's an Open Source initiative called OpenID. Right now the bottleneck is the relatively small number of websites that support OpenID login. I first heard about OpenID at the last SAO talk in January by Scott Kveton of MyStrands.

OpenID takes advantage of the fact that domain names on the internet are unique. So you can pick any domain or subdomain that you control and set it up as your openID. I decided that http://www.colleendick.com would be a very good identity for me, being as how it's my name and all, and if I ever forget that I got way bigger problems than logging on to websites. If you don't own a domain you can sign up for a blog on wordpress. They will give you a subdomain: you.wordpress.com, which is automatically set up as an open id. (Even conservative blogger has started doing it, as of about 10 days ago!) Great, but what about the password? Won't I still have to give the password to each and every site? And wouldn't that be dangerous, because if someone ever cracked my master OpenID password they could log on as me to every OpenID site. Yet making up a different password for the same name on many sites defeats the simplicity goal. So what to do?

Well, let's say I'm going to tell some website that I'm colleendick.com. How does it know it's me and not just someone saying they're me? It's because I control colleendick.com and I put two lines of HTML code in the main page that tells it who to ask for the secret password. So if I'm not currently logged in it goes to that site and asks me for the secret password. If I know that it logs me in to that third party site, where I stay logged until I shut down my browser. Now if I log in anywhere else as colleendick.com it will look at colleendick.com, check that third party site, and since I'm logged in to it, I'm logged into their site too.

Sam Ruby provides an elegant howto for OpenID here if you'd like to try it.

As I see it, OpenID has sort of the the same weakness as HTTP authentication, which is what it rides on: If you log in to a public computer and fail to log out, you'll still be logged in. Of course the hacker would have to know your OpenID and that wouldn't be quite as readiily available as poking in browser history, but still, it's a concern. And the other overriding concern is that
trusted third party has to be someone you totally trust.


Tix•R•Us is one of those websites that currently requires its own login for administrators. We are not going to support OpenID for the forseeable future because most of our administrators are not geeks, and at the moment OpenID is still in the geek realm. I'm guessing few if any of them would use it even if it were supported, but it's something to keep an eye on.

No comments: