OpenIDAn OpenID is not an account!
I’m excited to see that OpenID has finally started to gain serious traction outside of the Identity community. Understandably, misconceptions about OpenID continue to crop-up. The one I want to address in this entry is the idea that an OpenID can be used as a replacement for a regular user account.
Update at 23:55pm: I originally tried to illustrate this misconception with a quote from Don Park; unfortunately I misunderstood the quote and consequently misrepresented his position, for which I apologise unreservedly.
The old OpenID homepage (which I miss; the new one uses jargon-heavy terms like “a free framework for user-centric digital identity”) included this in nice big letters:
What about trust?
This is not a trust system. Trust requires identity first.
OpenID solves the identity problem, not the trust problem. When a user authenticates with OpenID, what they are doing is stating “I have the ability to prove my ownership of this URL”.
I used the phrase “have the ability” deliberately. Just because the OpenID authentication was successful doesn’t mean that the user is the only person who can authenticate against that OpenID. It would be trivial to create the OpenID equivalent of Mailinator: an identity provider that says “Yes, that’s them!” to any identity request. I’m tempted to build it just to emphasize this point! Update: Jayant Gandhi has built one.
The key thing here is that you should never trust an OpenID on its own. It could be a real person, or it could be a spammer, psycopath or general undesirable.
Does this mean OpenID is completely useless? Absolutely not! You just have to think of it in the same way that you think of username and password combinations: as the “key” to an account.
Most web application signup processes work something like this:
- Bob selects a username
- Bob enters a password, twice
- Bob enters his e-mail address
- Bob clicks a validation link in an e-mail sent to that address
Some sites throw a CAPTCHA in there for good measure.
OpenID replaces at most the first two steps of that registration process. Instead of having a user set up a new password you get them to authenticate with their OpenID at the start of the process. After that you might still want them to pick a username (especially if you are integrating OpenID in to an existing account system) and you’ll almost certainly want them to jump through the e-mail and/or CAPTCHA steps.
In the future, they can sign in to your site using their OpenID rather than having to dig around for whichever username and password they used.
A nice thing about the above flow is that it demonstrates how easy it should be to add OpenID support to an existing Web application. If you’ve already got a user account system that’s fine—just give your users a mechanism to associate an OpenID with their existing account so they can log in without using their password. You could even require new users to set up a full account (complete with password that they never intend to use) and then associate it with their OpenID, although doing so eliminates the lower barrier to entry advantage for OpenID users.
The trust issue is now null and void. An OpenID is just as trustworthy as a regular username and password (which could have been posted to bugmenot and shared with thousands of people).
One last time: an OpenID is not an account. Just treat it as an alternative to a traditional username and password and you can’t go wrong.
ah, we have a similar problem in anti-spam -- people confuse authentication with reputation and accreditation. I must blog about that ;)
I have a prototype openID server that just says yes to anything it's asked. Let me know if you want the code (it isn't nice) :)
Though it seems that my dyndns isn't working at the moment.
David: that's very easy to write. It doesn't prove anything though, as this post explains.
OpenID *might* help a little though as it forces potential spammers to put a little more processing power into the game (not that much, but hey, most of them don't pass javascript tests either afaik).
I think the "negative" parts of OpenID shouldnt be stressed too much, as it's not any worse than current systems. The positive effects (one login to rule them all, impossible for someone else to log in using your standard "nickname", impossible for others to impersonate you, eg in blog comments,...)
In the interests of buzzword-equivalence, does this mean that OpenID is a "single sign-on" system? (I ask mainly because I understand your explanation of OpenID, but I'm not always clear what people mean by single sign-on - but others may be able to make the reverse leap...)
Paul Moore - 10th January 2007 13:03 - #
Paul -- openid could be half of single sign-on. Single sign-on means that a user only needs to authenticate once per "session", and every system respects that authentication.
One app using openid doesn't make single sign-on. If every app did, then it'd be so.
Just reducing the number of pwds I have to manage seems a more reasonable goal. ;-)
I like the analogy with email, as it's a lot like it. That a person has *some* email address is a useful bit of information, and is the closest thing to identity we currently have. You can forget your password, and often your username (if it is distinct from your email at all), but you can retrieve them (slowly) via email.
And everyone already understands that email also doesn't mean any kind of trust -- anyone can get a quick yahoo account or something (or Mailinator on the extreme end). And it's not a user account either... it's just an email address. Open ID is the same; it's a web address instead of an email address, but with the same level of meaning.
Ian Bicking - 10th January 2007 17:41 - #
Forging email is easy. Forging OpenID isn't.
Nicolas: Your statements are true but misleading. It is easy to forge the source of an email via the To header, while there's no really equivalent way to do that in OpenID.
However, if you send an email to the account to verify that a person actually owns that email, it is extremely difficult to forge the correct response (you'd have to sniff the email out or something). Which is the point of OpenID.
Edward Z. Yang - 10th January 2007 20:51 - #
Email is like Open ID if everytime you had an account you immediately forgot the password, and used the password retrieval/reset function linked to your email. Which is inefficient, but not an uncommon way to deal with peripheral user accounts. I often do the "try to sign up, realize my email is taken thus I have an account, do the forgotten username/password" routine with minor accounts. In that situation access to my email -- by whatever authentication means my email account is protected, which has nothing to do with the site in question -- is my ultimately my identification. It's not secure with respect to various kinds of sniffing, but otherwise it's a very similar model to Open ID.
I think what makes it confusing is that when signing up for an OpenID you have the option to enter details which sure make it feel like an account. I think that this quote from the MyOpenID Registration Persona's clarifies that this isn't the case.
This centralised information can be used to populate a site registration form on signup but the site should then maintain and rely on its own copies, using the username and password merely as a key to access the data stored in its own databases.
Sorry about the off topic comment but the relevant topics are all closed.
Do you by any chance still have your old pingback server code that made an extract of the page around the incoming link?
I found links to the source but they go back to university servers and are broken.
Geoff - 11th January 2007 21:08 - #
So OpenID solves Authentication, but Authorization, Reputation and Accreditation is still to be solved somewhere else. Let's create OpenCred et al too then, shall we? :-)
OpenCred? Nice idea;-)
Better OpenID could solve it independently.
So basicly without all the terms and such
your saying OpenID is not an account but a way of getting past the username password stage with one openid one username and one password
...i am /so/ confused, now...i found MyOpenID, today, thru a reference to mr willison's site/blog...visited MyOpenID site, did the items due, there...came back to mr willison's site...signed in with the OpenID bar...now...do i have an account, here, at simonwillison.net...or not?...sighsigh...
...peace...
doc
A cool service for OpenID accounts to have users verify their "humanity" by responding to a captcha:
http://botbouncer.com/
Despite all the apparent support and buzz, OpenID will remain a techie novelty until we see a huge increase in the number of sites that support it.
software reviews
It's a simple matter of Authentication vs Authorization.
Besides, you don't allow someone to enter your home just because he's wearing a uniform either....
(Well in fact that does happen a lot, but that's a social engineering story... a different discussion)
An OpenID is not "just as trustworthy as a regular username and password", as enabling OpenID authentication creates more attack points to compromise an account (The OpenID provider, maybe the network between the provider and the user, maybe the network between the provider and the web service). It is a trade off that needs to be made, but is one reason you won't be using OpenID to autheticate to your bank. Or other services where the provider thinks that security is important (which is a lot, even though most are deluded about there own importance).
Not even authenticated - 20th June 2007 04:47 - #