The software that I’m currently developing will use OpenId to provide a single login for multiple sites. If you haven’t heard of this yet, OpenId is the newest, coolest (at least in the eyes of the “Web 2.0” crowd…) thing for “single-sign-on”. Meaning that you only have to remember one password for all your web sites.
The whole thing works like this: You go to a page where you log in. You provide your OpenId url (which is the same as your user name) You are sent to your OpenId provider. You log in to your OpenId provider. You go back to the original website, and now you’re logged in. The idea is that you only have to log in one time to get access to all your web services.
It got a bit of a hype now, since some of the big players announced “support” for it.
So I checked out this toy, and I found that there are already a lot of providers, and a lot of libraries to add support to your own web application. You can also have a plugin for WordPress, Trac, you name it…
So I got an OpenId account, installed a plugin on my blog And disabled it again.
What does it do?
For a start, I already have almost the same functionality using a password manager software (I use 1password, but there are others and almost every browser has the functionality built in).
OpenId doesn’t convey any trust. It’s like a key, not an Id card. By logging in with OpenId, you prove that you somehow have the “key” to your OpenId URL. Nothing more.
In practice: When you log into a new site with OpenId, you don’t get an account automatically. You still have to register with the site normally (although OpenId can fill out some of the registration form for you). The only thing OpenId does is replace your username and password.
In exchange for having to remember only one password, you get a few problems on board:
- As many people have pointed out, OpenId is a big fat invitation to phishers. (There’s one way around it, more below)
- Your OpenId provider will see every login that you do. You can choose your poison (select a provider that you trust), but the problem remains unless you open you own provider.
- A lot of big players (like Google, Microsoft and the like) start acting as OpenId providers. None of them accepts OpenId logins, because it’s no use to them. And do you really want Google to know about all your logins?
- The login process is difficult to understand for the uninitiated – really, your grandma won’t understand what’s going on, which makes her vulnerable
OpenId is also promoted for blog comments, so at first I considered leaving the option enabled on my blogs. However, it buys me nothing – see above. Just because someone has an OpenId it doesn’t mean the person is not a spammer. In fact, if people start automatically accepting OpenId comments, spammers can just create their own OpenId providers. So I still have to spam-check all the comments – nothing gained.
If you really like to use OpenId, I’d recommend using a provider that doesn’t have an obvious interest in harvesting your data. I tried myopenid.com – they allow you to create a completely anonymous account, without even giving an email address.
They also offer SSL certificates, which are the only way to avoid the danger of phishing – they will install a cryptographic certificate in your browser which automatically logs you in. This cannot be stolen by a fake OpenId site; if you also disable you password completely you should be quite safe. (Of course it would also be possible for web services to use SSL certs directly, without OpenId).
However, I found no way to password protect the certificate within Firefox – so whoever gets hold of my computer has access to my OpenId identity. (Note: I have a feeling that there should be a protection in Firefox, but I have been unable to find it).
Using an SSL certificate, OpenId could be reasonably safe. However, my password manager is still doing very good:
- All login information only exists on my local machine. There is no external service that may be compromised.
- It works with each and every web service there is. It automatically generates a password for each site, so that if one is compromised the others are still safe.
- It provides some protection against keyloggers, because the password is not entered by the keyboard
- The keychanin locks down after a while, so even if my machine is lost, it’s still as secure as my local password
The only drawback is that it only works on my machine, if I’m somewhere else I’m basically lost. However, since I can synchronize the passwords to my mobile device, this is not as bad as it used to be; and OpenId has kind of the same problem if you use it with SSL certificates…
However, what I’d like to see on the web is a form of “id” that conveys some form of trust, like “if someone has the web id from X, he can be trusted not to be a spammer”. Something like this could probably be done using SSL certificates, but there is still no coherent activity in the area.