Tuesday, September 25, 2007

Why Don't You Have an OpenID?

OpenID logo The OpenID initiative took a big step forward this week at the Digital ID World Conference in San Francisco when France Telecom's Orange announced that it will adopt the OpenID standard for user authentication.  Orange will provide an OpenID for all of its 40 million subscribers, and they are the first major telecom service provider to implement OpenID.  Above and beyond significantly adding to the 200 million of current OpenID users, every Orange subscriber that uses their OpenID will have their identity validated by Orange as a result of their business relationship.  Merchants, financial institutions, and government entities that require an authenticated identity can rely on OpenID from Orange to authenticate and verify their customers for access to information and transactions.

For those of you unfamiliar with OpenID, probably most of you, OpenID was created to provide a single login mechanism for all of those web sites you login to use.  If you are like me, you have almost a hundred different accounts on various web sites.  You create a user ID and most likely use the same password for all of them.  That is not very secure, but are you going to generate and remember a 12 character password like 8D[xr#pm5UW>a for each web site?  I didn't think so.  OpenID users can create different personas to use when registering with web sites.  Who wants to take the time to fill out those darn registration forms just to occasionally read an article?  Besides I don't like giving out my personal information all over the place.  I have an OpenID persona with minimal information that I am willing to provide sites like the Washington Post. 

Users can obtain an OpenID from several different identity providers so there is not a dependence on a single company to store all of your identity information like Microsoft with Passport.  If you don't like your provider, just terminate your account and move to a different provider.  You can even use the delegate feature to create OpenID URL that does not change if you change identity providers.  For instance I use http://blog.inphotonicsresearch.com/ as my OpenID instead of http://milliman.myOpenID.com/.  That way if I change providers, I don't have to update sites where I may share my OpenID.

Companies like SignOn.com and myOpenID.com are just two of many OpenID providers.  Larger companies like VeriSign, Yahoo!, and Microsoft support OpenID.  Microsoft has incorporated OpenID support into its CardSpace initiative.  CardSpace's goal is to authenticate a user's identity and information to CardSpace enabled web sites and applications.  A site supporting CardSpace will pop up the CardSpace application so the user can select an identity.  The application will send a token and information to the requesting web site or application.  Once OpenID enabled, CardSpace will provide the same function to OpenID enabled web sites.

I would like to see financial institutions and Internet service providers be identity providers.  That way a user's identity can be verified and validated for important applications.  Users can still remain anonymous when they want by creating another OpenID account.  For instance I could use my validated Chase OpenID to purchase books from Amazon or music from iTunes or select a different persona with limited information while reading articles on USA Today.  I can create an entirely new OpenID from myOpenID if I want to be completely anonymous on MySpace.

OpenID has many other interesting features relating to social networking.  For instance I can share one of my OpenID personas with work colleagues so they can see the publications I read or subscribe.  Technorati, Plaxo and Basecamp are the two sites I use most frequently that support OpenID.  I go in and out of Basecamp several times a day and I only have to authenticate with them once in the morning if I haven't already logged into another OpenID site.  Now if only Google, Sprint, Chase, E*Trade, Comcast, Pandora, and other sites I use would utilize it.  Expect to see greater adoption over the rest of the year as more people buy, trade, seek healthcare, and live over the Internet.  Identity will increasingly be in the spotlight as it was this week at the Digital ID World conference.

Technorati tags: , ,


  1. Mark: I am the technical director for the PiP/SeatBelt products here at Verisign. As you pointed out we support OpenID but perhaps in a broader way than you suspect.

    We also host an OpenID provider at: http://pip.verisignlabs.com which in addition to supporting the ability to have multiple personas we also have integrated into our two factor authentication service so if for example a user has Paypal hardware token they can link that to their OpenID account.

    In addition, we also support MSFT's Information Card where you can build an Identity card from your OpenID.

    Finally, you should also checkout SeatBelt which is a FF extension to minimize phishing attacks and provide a nice form filler for your OpenID URL.

  2. I must admit that I did not spend much time reviewing the PiP/SeatBelt products. Gary points out the flexibility of the standard that allows innovation to provide features to enhance OpenID. Simplifying the payment process would be greatly welcomed. SeatBelt seems to be a nice extension to Firefox, but the next version is suppose to support OpenID so I wonder if this will make SeatBelt redundant. I'll check it out.