OpenID has been in the news recently and I thought I’d cover it real quick.
The buzz-phrases are “Identity Management” and “Controlling your online identity”. But what is it really?
Essentially it’s a protocol that allows systems to authenticate users through a third party. So if I want to log into this blog, for example, I could have this blog software authenticate with Google, allowing me to use my Google account rather than some account that’s unique to this blog system.
I can then use that same Google account to authenticate with all the other OpenID capable systems out there. Now I need to only remember one password (my Google account).
This is a free/open system. You can use it however you like. No fees, no nothing.
Now immediately people will note a couple things. First, if an attacker gets the password to your OpenID account (your Google account in this instance) then he/she has access to all your accounts. Furthermore if Google goes down you won’t be able to log into anything for as long as Google’s servers are offline.
In other words it’s a single point of failure.
Furthermore, this is more for the end-user benefit than it is a benefit for those who manage these systems. Sure, you’re no longer in the business of password management, but you still must maintain a local account tied to the user’s OpenID. Systems that integrate with OpenID are still managing accounts, they’ve only saved themselves the trouble of having to set and reset passwords.
However, there is a bit of a plus side to OpenID.
You control how you authenticate.
Don’t like passwords? You can setup your own OpenID server (or, more likely, use one already in existence) that uses alternative forms of authentication. Maybe it’s biometrics, or includes some sort of CAPTCHA to defeat password guessing attempts, or maybe authentication comes in the form of answering a question that only you would have the answer to.
One really nice setup is to go through VeriSign who are OpenID Providers and will allow you to buy (for only a few dollars) an authentication token. It’s a small thing you place on your keychain and carry around with you. Whenever you go to log into the system you’ll have to include the number displayed on the token, which changes every 10-30 seconds. So even if your password is compromised you’re still fairly safe.
With OpenID this type of two-factor authentication goes with you. Any place you login with OpenID you’re using two-factor authentication. It’s brilliant.
But there’s one big problem.
A trend has started where big companies (Google, Yahoo, MSN) will allow you to use your account on their servers as an OpenID, but you cannot log into those systems with OpenID. The reason for this is that they don’t want you signing up with alternative services. If Google doesn’t do OpenID you’re forced to create a Google account. And whenever you use that Google account to log into an OpenID system you’ll have to type in “google”, helping to reinforce their name and brand in your head.
Another, more sinister, problem is that your OpenID provider will be able to track which web sites you log into and when. It would be trivial for, say, MSN to keep track of the web sites you authenticate with. Once it recognizes that you visit, say, gaming web sites, MSN might start throwing gaming advertisements at you either during your login process or while you’re on any of MSN’s own services. This sort of targeted advertising will be the excuse companies give when questioned about their tracking practices.
But who knows what else they do with that information? There’s a privacy issue here. Advocates will say it’s a moot point because if you don’t like Google’s practices you can simply switch to another OpenID provider.
That’s all well and good, but the reality is if you’re going the OpenID route you’ll want a provider that’s reliable and isn’t likely to go away in the next year or so. That means you’ll go through a large company like MSN, Google, VeriSign, etc.
There are lots of trade-offs and lots of issues to consider before taking to the OpenID highway.
Personally, I’m going to stick with a copy of KeePass and have unique, randomly generated passwords for every web site. I’ll only need to remember one password, the one to open the KeePass database, and it’s a password that won’t be stored anywhere online (not even as a hash). A side-benefit of this approach is should your system be compromised, a keylogger isn’t going to get any of your online accounts since you’re never really typing anything in (just copy/paste). So Warcraft players fear not!
The trade-off is if I ever lose that database I’m royally fucked. So backup often! A small price to pay for what I think is better security.