The Open ID Dilemma
March 1st, 2007 | Categories: blogs, networks, social media
Very recently, open IDs seem to be the hot topic. As the new web evolves and the Internet becomes more decentralized and democratized, such a system was inevitable. It has simply taken longer than many experts predicted. In any case, it is starting to make a strong case, as Internet giants AOL and Yahoo are implementing the framework.
Once again, this may be a great time to tap the old user-edited encyclopedia for a definition. Wikipedia defines OpenID as “a decentralized system to verify one’s online identity”. A pretty simple definition for a fairly complicated system and concept.
Popular sites that have integrated the system include LiveJournal, Zooomr, Wikitravel, and Jyte.
All is fine and dandy right? Not quite. With every new successful trend or system, there is a downside. Cyber-criminals and malicious Internet users are just salivating at the future possibilities.
If only one log-in and password is needed for all sites, access is not only easy for the user, but also for the criminal should he/she be able to attain such information. Immediately, the thief would have access to all sites which use the OpenID format. The potential consequences for the user are astronomical. Credit card numbers, personal information, bank records, and other information-sensitive documents could quicky and easily be stolen and leveraged in mischievous ways.
In the current state of the net, users acquire different user names and passwords for each individual social network, photo/video site, e-mail account, etc… Although this is more complicated and time-intensive, it hedges the user’s bets should a criminal acquire the leaked log-in information and credentials.
I don’t believe I need to go into fine or further details about the potential wrong-doings and mishaps that could arise if the informatin reaches the wrong hands. The point is simple though. The easier and more functional across different platforms for the user, the same goes for the criminal. The biggest strength of the system is also its ultimate demise. Protective barriers and safeguards will need to be implemented on some level to prevent an information crisis. How this will be accomplished is beyond me. But I’m no security expert.
The official site can be found at OpenID.net. To learn more about the specifics and details of open IDs, read this Wikipedia article.
March 1st, 2007 at 7:19 am
I agree with your premise on the surface. You’re right, it’s dangerous to have just one username/password combo.
In reality the vast majority of internet users only use one username and password anyway, so it’s pretty much a moot point for most people.
The easy way of dealing with this, is have additional security layers on any sensitive information. This is the current practice anyway. For example, my bank and credit card companies require not only sight keys, but I have to actually authorize each individual computer/ip to access my account by another level of password authentication. So even if a crook got my username and password for my bank, he’d have to answer additional questions to be able to access my account.
I think the benefits outweigh the potential problems. It’s not hard to deal with the security aspect on things that matter. Using openID you get not only an easier way to get out around the net, but you get a persistent identity. That’s invaluable as social networks evolve. Instead of having to tell your friends/colleagues “oh yeah, I’m Amorse on that site, but I’m AlexMorse over here,” I’m always alex.makesitgood.net.
March 1st, 2007 at 10:52 pm
I think the advantage of OpenID is that people aware of security issues can set their authentication system at the level they want.
I use certifi.ca (https://certifi.ca/) for my principle OpenID provider, because it uses client-side SSL certificates for authentication. That means no passwords, and thus no phishing. It’s mathematically impossible for someone to brute-force attack my certificate identity — leaving it up to me to protect my cert on my local machine.
Contrast this with one-authentication-per-Website. Almost no site uses advanced authentication systems like biometrics or digital certificates because they’re hard to implement and few users employ them. (Chicken-and-egg problem, there — few users employ them because few sites support them.) Disconnecting authentication from Web sites means that we can get high-quality security for our Internet identity, and Web site builders don’t have to implement it.
March 2nd, 2007 at 8:22 pm
As a user, when accessing sensitive information (like financial data) I like the idea of multi-layer security as Alex mentioned.
Looking at it from the outsourcing training side, we use public websites as examples in our online classes all the time and having to use one instead of many usernames/passwords would make soft skills instructor’s admin work easier. When I do consulting work though, I’ve had clients who would not want to have to remember multiple versions of their username/passwords even though in theory, they all want their privacy and personal information intact and really secured. CIO’s instilling policies on regular password updates can help in shifting organisational behaviour but it has to start earlier like in employee orientation. When a shift in security attitude is made, the concerns for open id will hopefully be met with additional security measures.
March 4th, 2007 at 9:15 pm
Hey guys,
Thanks for the valuable, insightful comments. Obviously, you guys know a lot more about the subject than I. Your thoughts and opinions are much appreciated.
Cheers,
Aidan
May 12th, 2007 at 8:57 am
butalbital
bo oaw
May 14th, 2007 at 1:24 am
ultram
iunexob iehowoys