Don MacAskill over at SmugMug (my favorite photo sharing site) brought my attention to OpenID, a budding solution to an old computer problem: If you use a computer, you have way too many passwords to conveniently remember. You might use one or two passwords, perhaps a simple one for web sites that you do not care much about and a more complex, carefully guarded one for things like your bank account. The thorny problem pricks you when one site has a policy which prevents you from using your favorite password and you have to create a special one for just that site: how do you remember it?
The ideal solution is simple (as ideal solutions are wont to be): You sign in once and everything just magically knows who you are.
Before we continue this discussion, let me introduce just a couple of technical terms:
- Server
- This is the thing that you sign in to. Once you prove who you are to the server, it will tell other things that you are “OK.” Everybody trusts the server: you do and so do the web sites that end up asking the server if you are “OK.”
- Client
- This is something which you are only allowed to use if you are “OK.” It might be a web site on which you have to have an account or it might be your bank.
- Identification
- The first piece of the single sign on puzzle is establishing your identity: proving who you are.
- Authentication
- The second piece of the puzzle is determining whether you have the authority to do something. In other words, once you have proven your identity, you might be authorized to perform some task (like withdrawing money from the bank).
Implementing the ideal solution well has proven to be pretty difficult (as implementations are wont to be). There have been several attempts at single sign on, none of which have been widely adopted. Here are just a few which you might have heard of:
- Kerberos
- Kerberos was developed by MIT back in the dark ages (the 1980s) to handle this problem at MIT. It works well, has a proven track record, and is available for pretty much any operating system such as Windows or Linux. Unfortunately, it requires that every client talk to one server and the programming on the client site is pretty complex.
- Windows Live ID f/k/a Microsoft Passport
- Windows Live ID is probably the best known implementation of single sign on rattling around the internet today. You create an account on Microsoft’s server and that “passport” works on any web site which uses Live ID. Microsoft is its own biggest barrier to broader implementation, though. For some reason, lots of people do not trust Microsoft to be the worldwide trusted source of secure identities and authentication.
- AOL, CompuServe, Prodigy, etc.
- The first large internet communities tried to solve this by including everything you would need within their own universe. For instance, once you sign into AOL, you have access to pretty much every AOL “keyword” or site. This does not work very well because, no matter how large AOL gets, it does not contain the whole universe. AOL users do wander out onto the internet-at-large and, once they leave the confines of AOL, their AOL identity is completely unknown.
- Firefox and other web browsers
- Some web browsers (Firefox is my favorite) try to simulate a single sign on experience by remembering your username and password for all of the web sites that you visit. You can set a master password which protects all of the others. If you do this, you have to provide your master password once and then Firefox automatically fills in the username and password fields of any web site which you visit (as long as you have been there before and you have told Firefox to memorize it’s username and password). This mediocre solution works well as long as you do not change your password on any of the web sites and you do not change computers. This is not really a single sign on solution but I mention it here because so many people, including me, use it.
The common theme here is that the technologically best solutions (like Kerberos) are difficult to implement and not available to the general public while the generally available solutions (like Windows Live ID and AOL) are either not widely trusted or too constraining.
Enter OpenID, “an open, decentralized, free framework for user-centric digital identity.” It looks like it solves the problems mentioned above, along with lots of others which I am not addressing here because this article is already getting pretty long.
OpenID is “open,” which means that, unlike Windows Live ID, anyone can implement the server or the client on any platform they choose. If Windows Vista is your cup o’ tea: great. If you prefer Mac OS X: no problem. If you want to roll your own out of a Minix box: that will work, too.
OpenID is “decentralized,” which means that there are lots of servers in the world. You can pick the server which best meets your needs. For instance, you might use a Microsoft OpenID server, Don might use the SmugMug OpenID server, and I (being the geek that I am) might actually choose to build and run my own OpenID server.
OpenID is “user-centric” in that the servers let the user decide how much information to provide to the client. I may create two personae on my OpenID server, one for fun sites and one for serious stuff. The fun persona might contain my nickname and my email address but nothing else. My serious persona might be for banking and business use and contain my real name, my social security number, my postal address, my phone number, etc. The key is that I get to decide which persona the server is to use when “talking to” any particular client.
You might be able to use OpenID right now because some large players are already acting as OpenID “providers,” running servers based on their existing constituent base. AOL, for instance, provides OpenID for all screennames. Just enter openid.aol.com/screenname
anywhere an OpenID is requested. Likewise, SmugMug acts as a provider by letting you use your SmugMug homepage URL. Mine, for instance, is wonderart.smugmug.com
. If you have an account on either of these services, you automatically have an OpenID.
There are even free OpenID servers cropping up on the internet, such as MyOpenID. Anyone can get an ID here and anyone with a web site can freely use this as their authentication mechanism.
OpenID is a Very Good Thing and I hope that we see a lot more of it. Imagine how nice it would be to visit a new web site and not need to create an account to use it. You would simply enter your ID and get on with what you want to do. No fuss, no muss.