Research on OpenID and Related Options

Posted on February 13, 2009. Filed under: Professional | Tags: |

According to Wikipedia, OpenID is an identification standard, in the form of a URL that allows a user to log into many services using the same digital identity. Authentication (or proving you are who you say you are based upon a username and associated password) is done through the OpenID provider. There are many providers with an OpenID arrangement including the popular AOL, Google, Yahoo, Microsoft, PayPal and others.

OpenID logo

OpenID logo

Even Facebook and WordPress (host for this blog) recently got into the act. It appears to be a growing standard that promises to make signing into multiple sites a much easier experience for users. The concept has only been in existence since May 2005.


When I worked at HP, that company used a standard called the “enterprise directory.” In this scheme, a special server is setup solely for the purposes of “authenticating” users. Rather than maintain its own authentication service then, a target application within the HP domain would call out to the authentication server and ask for validation of the requesting users identity. This had the added benefit of allowing the user to modify features of their enterprise identity on a self-service basis. Therefore, when I changed my telephone number or job title, I could update the directory. If the target application needed any of that information within, it would pull it from the enterprise directory when authentication was made. It was simple, secure and transparent to the user. I can see the convenience of this when I use a single Google username/password combination to access dozen of different Google services. Any site that recognizes OpenID will also allow me to use my Google username/password as well.

There are some downsides, however, when applied in the open internet…

First and foremost, since use of OpenID makes access easier for YOU, if your identity is compromised, access for a hacker is also simplified. Keep your OpenID information very secure!

Also, be careful for phising, pronounced “fishing.” Simply put, phishing is when a third party represents themselves as a service you are familiar with in order to steal your identity. The way it works might be like this: you are sent a link to a URL that looks something like a site you frequent — only it is not! You are asked to authenticate by supplying your OpenID information and since everything looks “normal” you comply. Unless you figure out the deception quickly, the phisher has your credentials and can access secure sites using your identity – they can either do things that make you look bad or can even steal from you, make purchases in your name or other malevolent behavior.

To avoid being a phishing victim make sure you examine the link before providing your credentials. Pay special attention when the link is emailed to you, even if it looks like a familiar person or company. Look for the “s” at the end of the https:// at the beginning of your browser’s URL address. Also pay attention to the padlock symbol in the footer of your browser. Those increasingly popular images (that you choose) next to the sign-in fields are an attempt by some sites to alert you when you are in the wrong place, if the picture is not familiar, double check where you are!

For more information on setting up an OpenID, Sam Ruby created a good tutorial on the technical details of OpenID is available at intertwingly and is worth checking out if you are into this stuff. When I set up this blog, WordPress automatically created an OpenID for me! I can now (theoretically at least) use this identity in other websites provided I have the rights to modify the HTML code.

Finally, to setup an OpenID for yourself, independent of any specific provider, it appears to be common practice to use Setup takes about a minute (maybe), allows you to establish a personal icon to prevent phishing. However, this may be unnecessary for you until you have your own personal web domain.

Read Full Post | Make a Comment ( None so far )

Liked it here?
Why not try sites on the blogroll...