“Identity Management” for the Internet is a long-unrealized dream; a centralized magic single sign-on for the whole Internet. The idea is to spare us Web surfers from the hassles of managing multiple logins, and instead have a single universal logon verified in some magical way by a trusted third party. Then when we visit RantyForums or GeekToyz or Nellie’s Best Beer and Chocolates or wherever we want to go, Nellie et al will use this trusted third party to verify us. Nellie and the rest of the Internet won’t have to maintain their own customer verification systems, and we Web surfers won’t have to work as hard either — all we need to do is establish a good secure relationship with a single (or limited) number of identity managers.
More Identity Management
- Novell Ties Up Identity and Security with Sentinel
- RSA: Single Sign-On Off The Drawing Board
- Liberty Alliance Claims More SAML Interoperability
- Sun to Open Source Web Single Sign-on
But should we entrust something as powerful as a single sign-on to a single identity manager, or even a few select ones? I keep a written record of all of my different online accounts, from shopping sites to online forums, and it contains over 100 different logins. That’s a lot of goodies to store in one basket. But the idea is to make it a stout, well-protected basket, or perhaps several stout baskets, instead of an unmanageable gaggle.
There hasn’t been much of a stampede to implement Internet identity management in the consumer space. Microsoft’s Passport was the first serious attempt. OpenID is the second, and as far as I know those two are it. Passport is like a zombie; it never quite dies, but isn’t really alive either. It just shambles along, dropping body parts here and there, and often forgetting its own name. First it was Passport. Then it was .Net My Services or something equally dippy, and there was a Hailstorm too. Now it’s Windows Live ID. Passport/.Net-wotsis is an annoying, intrusive nag that is required for most Microsoft services, such as Hotmail, Office Live, XBox Live, Windows Messenger, Zune, and MSN; it nags at you every time you use Windows, and every time you visit a Microsoft Website. It has suffered from a number of nasty, well-publicized security flaws.
But you know the old saying— you can tell the pioneers by the arrows in their backs, and it seems that Windows Live ID may finally be on track to getting it right. Microsoft hired Passport’s biggest critic, Kim Cameron, and put him in charge. In the early days of Passport their goal was to own the Internet; now Windows Live ID is opening up and has the potential of interoperating with other identity management systems, including open source-based systems. Though the key word here is “potential” — it hasn’t happened yet.
Big Holes to Plug
Internet-wide identity management is a large, complex problem. Different sites have different security requirements. For example, online services that require simple registrations mainly to foil spammers, like forums, don’t need military-grade security. Nellie has more stringent requirements- anytime money changes hands, ideally there are sufficient protections in place. (I know, I read the news too. I did say “ideally”.)
The biggest problem is the Internet is designed to be wide open. It brings all these strangers from all over the world together, but it has no built-in mechanisms for verifying or managing identity. We don’t even have user-friendly tools for verifying that the sites we visit are legitimate and not forged. Sure, they use third-party certificates such as Thawte and Verisign, but what do those mean to us? They’re just mysterious thingies in Web browsers, just like these new anti-phishing features — we have no way to easily verify that our Web browsers are being truthful. No matter how wonderful it looks to engineers and security geeks, end users have to take it all on faith.
OpenID
OpenID is a bold attempt to apply open source values and methods to the problem of Internet identity management, and to put control into individual’s hands. To quote What is OpenID?:
“OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing Internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins… it is estimated that there are over 160-million OpenID enabled URIs with nearly ten-thousand sites supporting OpenID logins.”
OK, that sounds good, but how does it work? First of all, you may already have your own OpenID. If you have an AOL account, Yahoo, LiveJournal, Technorati, WordPress, or any of the others listed here, then you already have one. If you don’t, there are many providers where you can sign up. Yes, you still must rely on a third party, except for you hardy souls who want to run your own OpenID servers. If the provider you choose does not please you, it’s easy to switch to another one. When you visit a site that supports OpenID, you enter your OpenID URI, which looks like http://carla.myopenid.com/, instead of a login and password.
Livejournal.com, MyOpenID, and VeriSign’s PIP (Personal Identity Provider)are all highly regarded. Verisign also provides some handy PIP extensions for Firefox, and includes a neat little widget for switching between OpenID providers on the fly.
If you’re wondering “so how is the OpenID verified?”, you are thinking smartly. What’s to stop someone from copying your OpenID and using it? Just hang on to your OpenID login, because you’ll need it every time you log into a site with your OpenID. It’s a bit clunky, but it works.
Whom Do You Trust, Again
I’m sure you can see the potential pitfalls of this architecture- what if you fall into the clutches of an inept or criminal OpenID service provider? It is easy to change to a new provider, and to set up several different OpenIDs, but that doesn’t solve all the problems caused by a shady or incompetent one. You could, in classic FOSS do-it-yourself fashion, take matters into your own hands and run your own OpenID server. Sun Microsystems put a novel twist on this by running its own server, and issuing OpenIDs only to its own employees.
On the other hand, can it be any worse than the current system of almost-daily spectacular (and spectacularly lame) security breaches? It seems we’ve all been pwned many times over by now. While we’re probably a couple of years away from widespread adoption and nice user-friendly management tools, OpenID could represent a real breakthrough, so watch this space for future developments.
Resources
- Why does Microsoft Passport suck?– lots of links to in-depth articles about the challenges of Internet single sign-on
- The Laws of Identity
- OpenID
- Hijacking OpenID Enabled Accounts
- Running an OpenID Server
- Public OpenID providers
