Is Your ID Open?

One of the manifestations of "adulthood" seems to be weighing adult pleasures and adult benefits against their consequences. Heroin is meant to be a fantastic high, but most of us steer clear of it due to the risks involved. Most of us know the hazards of alcohol, but choose to indulge because we feel the benefits out weight the risks. Emerging technologies present the same dichotomies, and we have to make informed decisions about their prudential use.

Big business and government initiatives dictate that Digital Identity technologies are about to impact your life, whether you like it or not. You can choose to use these technologies, accepting the inherent risks and responsibilities, or you can choose to abstain. But these choices should be made from a place of knowledgeable empowerment, not ignorant fear mongering. As with any contentious issue the radical fringes, both for and against, seem to be the most vocal groups. Here I will try to give you a balanced look at one of the first Digital Identity technologies that you are likely to encounter, if you haven’t already.

There are approximately 90 million people with OpenIDs today, although ironically many of them don’t know it yet. The largest single contribution to this tally occurred when AOL recently announced that every AOL user has been issued an OpenID URL. Which means that even your mother might already have one.

The main use for OpenID is known as Single Sign On. With Single Sign On you can log into multiple websites with the same username and password. You no longer have to remember and manage multiple usernames and passwords. For many people, this is a nice convenience, even if it won't fundamentally rock their world.

The secondary use of OpenID is for a kind of centralized "form fill" that makes it much easier and quicker for you to register at new sites. No more re-typing the same information every time you sign up for a new service.

So, is having an OpenID a good thing? My answer is: yes. But here are a few facts you should know about your OpenID….

OpenIDs may be structured to look like any of these examples:

• andy.dale.myopenid.com
• openid.aol.com/andydale/
• =andy.dale

The first two are URLs and the last one is an i-name. But they are all OpenID identifiers. For the sake of brevity, in this article I am going to refer to all three of these OpenID identifiers as OIDs.

The basic user experience of logging into a site changes when you use OpenID. Instead of entering your username and password at the site you are trying to log in to, you only enter your OID. Once you have entered your OID you are taken to your Identity Provider, the service that gave you your OID, to enter your password and therefore "prove" who you are. Once your Identity Provider is satisfied that you are who you say you are, it returns you to the site you were trying to log into – all nicely logged in.

Once you’ve logged into one website with your OID, when you visit another website you can often skip the password entry step, as you have already logged in to your Identity Provider from your computer during the previous few minutes. This is why it's called Single Sign On. I sign in once and then go to a bunch of different sites and services without having to log in again.

OpenID Single Sign On makes life easier for you, but there are dangers. The biggest danger this type of SSO poses are "spoofing attacks" and "Phishing Attacks." These happen when a "bad guy" sets up a website that looks just like your Identity Provider and fools you into giving the site your password. Now they know your username and password and can go out pretending to be you. This is a known problem, so most Identity Providers build mechanisms into their web pages that make it really hard for the bad guys to know what "your" login page should look like. (There are also other technologies, like Info Cards, that provide a whole new way to manage logins. I’ll discuss the strengths and weaknesses of these in a future column, but one of the differences worth pointing outis that Info Cards are a lot more phishing resilient.)

So when you are deciding whether or not to trust your Identity Provider, you will want to look at what they do to make it "easy" to know you are at the right place when logging in. There should be something that they put "front and center" on their web pages – either by using an in-page mechanism or by pointing you at a third party plug-in or utility that helps you "know" you are in the right place.

The second danger to consider when using OpenID is the possibility that there is spyware running on you computer. If you use a PC, this is often hard to know. Most Identity Providers are now evaluating authentication mechanisms that are harder for spyware or hackers to capture and copy. Instead of having you type in a password to prove who you are, you might be asked to select a series of images from the ones shown where the first letter of each object depicted spells out your password. Because different images are shown to you each time, in different orders, and because computers are notoriously bad at recognizing objects inside a picture, this practice makes it much harder for a "bad guy" to hack your account. Look for a Identity Provider that is implementing this feature.

Another danger of OpenIDs is that they present an increased ability to track where you go on the Internet. Your Identity Provider knows all the places where you log in. So be sure you can trust your Identity Provider. Check out their privacy policy, see if they are going to sell your information to marketing firms.

And remember that having your information sold to marketers isn’t necessarily always a bad thing. Yes, these companies are making money by "abusing" your information. But on the flip side, if you have to look at adverts anyway, they may as well be ones that you might be interested in, and the data an Identity Provider captures from tracking your web surfing can say a great deal about your specific interests.

You can be pretty sure that the small, boutique OpenID providers – like JanRain, ClaimID, LinkSafe, 2idi – are in the business of OpenID specifically to provide services that can be trusted. Their policies will be to only release information about you with your permission. I haven’t yet, but will if you ask me to, done a comparative analysis of the privacy policies of the big guys (AOL, Verisign) and the small guys, leave me comments on this blog if you are interested.

On the up side, with the caveats I have mentioned, Single Sign On really does make life easier. I use my OID whenever I can, and look forward to using it more as more sites accept it. Even with the problems that it has, OpenID in my opinion is a great step forward, and makes my online life much easier. I anticipate that OpenID will continue to fix the holes that exist in the system, and I see a lot of people building technologies that are going to make OpenID increasingly useful as time goes on.

If you have an OpenID but still aren’t using it, this great post suggests a few ways to get started: “14 Great Ways You Can Use OpenID Right Now”. There is also a list of some of OpenID enabled sites here, including LiveJournal, Technorati, and Opinity. Digg has said that it will soon use OpenID, and in a couple of weeks I will announce another set of very cool sites that will be accepting OpenIDs.

If you want to get an OpenID and don’t have one, you can get either an i-name or a URL. Some i-brokers will give you free names like @freeid*andy.dale, but if you want a "global" name like =andy you will have to pay for it. There are also a bunch of places where you can get free OpenID URLs. Check out the comprehensive list here.