Posted by: ITKE
Open source applications, Security
Now here’s a cool little technology that you may or may not have heard of: OpenID.
It’s like single sign on, but simpler. That’s the angle presented by the project’s leaders anyway, and it appears to be working. This little two-year-old technology currently has 5,000 web sites around the world supporting it, with 120 million individual users (or “OpenID’s” as they’re called by those in the know). That number is projected to grow to approximately 500 million by the end of the calendar year.
I learned a little more about OpenID at this month’s LinuxWorld Conference and Expo in between takes of our highly acclaimed video blogging efforts in the lobby of the Moscone Center. Our good friend and expert Bernard Golden happened to walk by at the right place in the right time, and close behind him was Scott Kveton, the chairman of the OpenID board.
Long story short, Scott and I set up a call last week to talk about OpenID.
First, let’s let the OpenID web site explain just what OpenID is, shall we?
For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photo stream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.
For individuals, OpenID means the elimination of multiple user names and passwords and a smoother, more secure, online experience. For businesses, this means a lower cost of password or account management, the opportunity for easier and higher numbers of new user registrations and the elimination of missed transactions because of user frustration with lost and forgotten passwords. OpenID allows for innovation in the authentication space beyond just using a password to “unlock” your OpenID identity, but the ability to strongly protect your OpenID and have that benefit move with you everywhere you go online.
Kveton bills OpenID as the antithesis of older technologies like Microsoft’s Passport and the Liberty Alliance Project, and with growth as big as he was projecting last week, I’d be hard pressed not to agree with him. “There’s just too many ways to ID users in too many places,” he said. “[OpenID] is super simple. Passport, Livery Alliance — these are too heavy and complicated.”
But what about security? Well, Kveton had an answer for that too, and again it came back to Microsoft Passport. OpenID is a decentralized system, meant to allow a user or a developer to spit out an application “in an afternoon,” Kveton said.
With applications like Passport all of the user information (ID, passwords, personal information) is owned by Microsoft. OpenID is not, a trait Kveton maintains was monumentally helpful in getting the millions of users on board since the projects inception in 2005. Ten times out of ten I’m going to guess a user wants total control over their private info, no?
That said, phishing could still be construed as a concern — as it could be for any ID/single sign on system. “A big concern is that OpenID could become a huge target for phishing; someone would could access your OpenID can get all the sites you visit.” However, even with this superficial concern OpenID has thrived because many users are already comfortable trusting a third party site for password management. Confused? Think of it this way: When you last forgot your Gmail password, how did you get it back? You trusted Google to send you a new one. To me this means the same due diligence required of today’s email passwords will be required in the OpenID era. Basically, don’t be stupid with your sensitive information and you’ll be just fine.
The ultimate goal for OpenID is an ambitious one: to create a unique ID for each individual user that works for the entire Internet. “OpenID by itself is a nice technology … the ability to move data and have a basic, portable social network is what will be the key driver however,” Kveton said. It’d be like a permanent, completely portable ID that woudl follow you to every site and simply work, no questions asked. Think of all the time you’d save — you’d have time to shop in your underwear for, like, an additional five minutes each day. Now that’s Web 2.0.
On the legal side of things, the OpenID Foundation formed in June 2007 to help manage intellectual property, marketing efforts and other activities related to the success of the OpenID community. The singular goal of the OpenID Foundation, its web site says, is to protect OpenID so that it may be used by any and all that want to.
“The goal [of the foundation] is not to drive technology or the community,” Kveton said. “It is to take care of the technology; to take care of trademarking hoops, IP, and provide a framework so the community can thrive around the technology.”
Half a billion users by 2008? Sounds like some serious thriving to me.