OpenID Becomes Enterprising


Identity is a hot issue at the moment - just ask Her Majesty's Revenue & Customs. But supremely stupid security lapses aside, managing identity is a problem that everyone online has to face on a daily basis.

One aspect involves passwords. As we join more and more online services, we are faced with the perennial problem: do we invent yet another password, making it even harder to remember, or do we recycle old passwords, which increases the potential damage if one is compromised? Of course there are alternatives, as Bruce Schneier reminds us, but they are hardly convenient, especially if we're accessing online services from many computers at different locations.

What, we need, of course, is a secure, single sign-on system that works everywhere, but we haven't got that for all the usual selfish reasons: major online services are unwilling to adopt somebody else's system, and so we end up with current fragmented state.

We've been here before, with operating systems. Back in the days when Unix was king, nobody wanted to standardise on someone else's flavour, and we were left with myriad Unices, all slightly incompatible. One of the reason that GNU/Linux has been adopted so widely is that it offered a neutral, open platform that favoured everyone equally. Clearly, then, what we need is a neutral, open identity system.

Amazingly, we have one: OpenID. As the main OpenID site explains:

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.
For businesses, this means a lower cost of password and account management, while drawing new web traffic. OpenID lowers user frustration by letting users have control of their login.
For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.

The problem is that it still hasn't caught on in a big way. The recent release of OpenID 2.0 may change that – well, that's what it's supporters are certainly hoping.

I spoke to one of them, Michael Graves, from the company JanRain (no, not some obscure Asian god, but a pointed reference to the local winter weather in Portland, where the company is based) recently, to find out more. Graves felt – not unsurprisingly – that we were near to the inflection point as far as OpenID is concerned – the moment when it passes from being a niche solution, to something with unstoppable momentum.

He cited Microsoft's announcement earlier this year, and Google's move to allow OpenIDs for comments on its Blogger system as proof of this; although those are both big names, it's still very much a toe-dipping exercise – you don't get any sense of deep commitment yet. But as Graves pointed out, you wouldn't really expect that, because this is deeply disruptive technology, and powerful incumbents like Microsoft and Google (yes, Google's an incumbent these days) much prefer the status quo.

He also noted that OpenID 2.0 will have a number of technical enhancements, allowing more complex interactions with service providers, whereby your personal profile is passed in a controlled way for certain purposes. Privacy issues aside, that sounds useful in terms of automating various kinds of operations.

Another interesting aspect was how his company JanRain would make money in this open world, and it was refreshing to hear his belief in the centrality of openness for OpenID – so no attempts to add proprietary elements for the sake of a bit of dosh. Instead, JanRain operates as an OpenID provider where you can sign up, and it also makes software, including Pibb:

it brings together the familiarity of forums, power of blogs, flexibility of email and convenience of instant messaging in one browser window. All messages are delivered in real time, then archived automatically for later search/viewing. This feature set makes Pibb ideal as a communication back-channel for conferences, for use as a support tool, or for community based private/public discussions.

But for me the real revelation – and the thing that excites me most about the short-term future for OpenID - is its potential within the enterprise. Graves spoke of how the publisher Reed-Elsevier (disclosure: a long time ago, in a galaxy far, far away, I used to work for one of its divisions) is layering OpenIDs on top of its Active Directory implementations: the problem here is that with multiple Active Directories, the name-space is too fragmented to use. OpenID allows a simple, unified approach that hides the underlying complexity.

Of course, that's precisely what OpenID can do on the Internet too, but it may be that the business case for its use in similar situations will help it build the necessary broad user base for the breakthrough in the public sphere.

And if you're wondering what an OpenID-enabled future might look, try this fascinating post from Chris Messina about OpenID 2.0 and DiSo, or “Distributed Social Networking applications”:

As more people sign in to my blog with OpenID and leave approved comments, I can migrate them to my public blogroll, allowing others to benefit from the work I’ve done evaluating whether a given identifier might be a spam emitter. Over time, my reliability in selecting and promoting trustworthy identifiers becomes a source of social capital accrual and you’ll want to get on my list, demonstrating the value of playing the role of identity provider more widely.

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivative Works 2.0 UK: England & Wales Licence. Please link back to the original post.

"Recommended For You"

Amazon and AWS validate the value of portable identity Google and Facebook login protocols vulnerable to hackers