Open ID is an open standard for single sign on. You create your Open ID account, and use it to log in to any service that supports the standard. This is not a new idea; the most famous being Microsoft’s Passport. However, it will succeed where the others have failed. It must succeed in order for the web to mature as a true operating platform. The philosophy behind it is that you control your identity and the means to authorize it. The task is most often handled by a trusted third party. However the open nature of the standard allows the truly security conscious to roll their own.
Open ID is a great example of how true security can only come from an open system. Historically, security is handled by secrecy. You may have herd the term “security through obscurity”, a philosophy I wholly disagree with. The idea is that you can protect an item with a secret. For example, you might protect your valuables in a safe with a combination lock. But what if that hypothetical combination lock had a fundamental security flaw? That safe is now only as secure as that secret. An open system does not have this problem. When a flaw is found, the lock is simply swapped out for an improved one. And, the new lock is free.
The standard applies this open security principle to your web site log in. First you sign up with an Open ID provider, or host your own Open ID server. Once you have your log in, you can use it for any web site that supports Open ID. That site relies on your Open ID provider to validate your log in. They don’t have to store your password, and you don’t have to worry about their giving away your password. This means that all of your web accounts are now as secure as your Open ID provider. Since you own your Open ID, you can easily change providers. One log in also means only one password to keep track of, so you can presumably change it more often.
The next step for Open ID is to expand to your personal profile. Imagine a day where you have the ease of Amazon “one click purchasing” for every site you visit. I think we’re all sick of filling out address forms and confirming email addresses. By controlling our profiles, we can actively determine what information a site can have. For example, the day may come where you can provide your address to an online merchant, but it is only viewable to the shipping company. It’s only a matter of time before features like this become available, another benefit of an open system. I suspect we will see it sooner rather than later.
My only complaint about Open ID is that not nearly enough web sites support it at the moment. If you are like me, you’re swimming in passwords. The benefits to a business are in never having to deal with authentication again. That makes for one less liability. Once more businesses catch wind of this it’s going to be hard to find web sites without Open ID. I don’t think this can happen fast enough. I’m getting tired of managing my password list and can’t wait to throw it away.