Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

OpenID: Single Sign On for the Web?

The OpenID framework, developed under the auspices of the OpenID Foundation, lets a user log on to many Web sites with a single identity. It aims to reduce the number of identity credentials, such as usernames and passwords, that users must maintain. The Foundation is also looking to make it easy and inexpensive for Web site owners to accept OpenID credentials.

OpenID is open source and community-driven, though development is being led by VeriSign's David Recordon. VeriSign uses OpenID for its Personal Identity Provider service. Microsoft has pledged to support OpenID in future identity server products, and AOL provides OpenID credentials to all its users. The OpenID Foundation intends the framework to interoperate with other identity frameworks, such as Windows CardSpace.

OpenID has barely penetrated the consumer Web—only a tiny number of sites accept OpenID credentials. However, given the backing of major players such as VeriSign, Microsoft and AOL and an active community of developers, the specification has all the pieces in place to enjoy significant growth.

Web users are schizophrenic, and not by choice: They possess multiple identities to access sometimes dozens of online resources, but juggling those username/password combos is burdensome, time consuming and often a slippery slope to insecure practices. Who hasn't seen monitors adorned with Post-It Notes full of tasty data?

The OpenID Foundation wants to change that. On the user side, its community-developed system aims to let users create a single identity for signing in to an unlimited number of Web sites, relieving them of the need to maintain a variety of IDs and passwords. The OpenID framework also lets users control which identity attributes, such as e-mail, date of birth and so on, can be shared with a given site. OpenID may also appeal to Web site owners looking to cultivate large user communities. To that end, the foundation has designed its specification to be simple and inexpensive to deploy.

So what is an OpenID? It's a URL that a user enters into the log-in field when accessing a Web site. The framework provides the cryptographic underpinnings to prove that a user owns the URL she's logging in with. The OpenID specification, now available in a 2.0 draft version, has attracted an impressive list of supporters, including Microsoft, VeriSign and AOL.

However, OpenID isn't quite ready to change the world. Only a tiny fraction of Web sites—mostly blogs—actually accept OpenID credentials. Also, self-assigned IDs, which OpenID employs, are simply unsuitable for high-value e-commerce transactions. To that end, OpenID developers are working with other authentication frameworks, such as Microsoft's Windows CardSpace and the Liberty Alliance specifications, to create an identity infrastructure that allows users to move among identity systems and ratchet up authentication and assertion measures as necessary.

  • 1