December 26, 2007

Open ID

I've posted previously about social networking and the church, focusing particularly on the issue of identity because I believe it's among the first technical issues to be addressed to make these efforts successful.  Every social networking site in the world (and many other sites) require you to create an account to use the site.  As Internet users create more and more online accounts, at some point fatigue sets in.  I believe some users have already hit their limit.  Clearly, this model isn't scalable.  In the previous post I referred to Dave Winer's idea that Twitter might become a de facto identity system.

Now I call your attention to OpenID, an open source identity system which aims to become the standard.  You can watch a brief demo of OpenID here.  (Thanks to Matt for directing me to the demo.)

I made the mistake of going to and creating an ID there.  When I tried to use that ID to log in to Plaxo, it errored out.  I have no idea what is, but don't use it to create an ID.  Next I tried MyOpenID.comSee my ID here.  It works, but I can't say it's ready for prime time.  The Personna feature seems like a great idea, but at this point isn't simple and intuitive enough for a noob like me.

Of course, one of the selling points of OpenID is that you don't need to go to a provider like MyOpenID at all.  People with a tiny bit of HTML ability can make their own.  Also, I understand everyone on already has an OpenID automatically as part of that service.  Google's Blogger service is also now accepting OpenID authentication. 

Bottom line: this technology is very early in the maturity/adoption curve, but it has definite possibilities.  Keep an eye on it.


infotech said...

Good article! ClaimID is another OpenID provider, and in addition it allows you to "claim" things that you have written or control online. Also, Security Now has done a couple of episodes on OpenID recently and they pointed me to Verisign Labs' PIP (Personal Identity Provider) which seems to be an excellent, well-done service. And you can use the PayPal security key or their own key as a token if you want to be really secure...which I haven't played with but sounds cool!

And hey, your MyOpenID is time I try to hack your bank account I don't even have to social engineer your birthdate to confirm I'm "you" ;-) (Mind adding your mother's maiden name?)

Arthur Y. Abon said...

I am a bit concerned whenever things like this surface. I mean, I know we live in the end times but everytime I see things being centralized worldwide the hairs on the back of my neck stand out.

David Szpunar said...

The interesting thing about OpenID is that while yes, there are centralized OpenID servers, there isn't one centralized OpenID server. You can pick and choose which server(s) you use. In that sense, it's more flexible than using one service (Microsoft tried that and failed with Passport--funny that no one trusted them!!).

However, whichever OpenID server(s) (and you can use as many different ones as you want) you use, you are putting them in a place of single-point-of-failure for the security of your logon information wherever you use that OpenID identity. So pick them carefully. It's also a reason (and Steve Gibson discusses this on a recent Security Now episode) that OpenID will probably be used for things like blogs and community sites but not necessarily for places with higher security requirements like banks and financial institutions. They have too much at stake to let you farm your login info out to any ID provider you choose--because you'll probably blame the bank even if it was your poor choice when something goes wrong!