|
OpenID - Login systems have evolved |
|
Written by Teenum Chudha
|
|
Wednesday, 10 December 2008 |
 OpenID is a service that tries to solve the problem of Internet users having multiple accounts and profiles scattered through cyberspace. When visiting any OpenID enabled website, you only have to provide your OpenID details and verify you are the owner of the account to sign in. It is a real solution to solving the problem of users having to remember countless usernames and passwords for all the websites they register to.
The basic concept is comparable to Microsoft Passport, but without the user being bound to a single provider, you have a decent choice of services. It is even possible to be your own provider, but this requires you to access and run your own server software. This may prove to be a useful service for organisations and communities of users.
Often OpenID users visiting a site for the first time will still be asked to fill in some information such as name and e-mail address. This is because OpenID does not work by giving the site information on the user, but simply by authenticating their digital identity.
You may be surprised to find out you already have an OpenID if you are registered to one of these services;
- Yahoo (http://openid.yahoo.com)
- AOL (openid.aol.com/screenname)
- Technorati (technorati.com/people/technorati/username)
- Wordpress (username.wordpress.com)
- Blogger (blogname.blogspot.com)
- Flickr (www.flickr.com/photos/username)
- LiveJournal (username.livejournal.com)
- Orange (http://openid.orange.fr/)
- SmugMug (username.smugmug.com)
- LiveDoor (profile.livedoor.com/username)
The OpenID developers claim this selection is far from complete and aim to expand availability of OpenID services for customers. I discovered from this list that I owned at least two OpenID accounts, one with technorati that I use to promote my blogs, and yahoo.
I was pleased to learn that Yahoo provides a sign-in seal to endorse sites that ask you for your Yahoo OpenID password. The seal is a personalised image or text that will be displayed on genuine sites to prove it is not a page attempting to phish your details and gain access to your account. This is reassuring as with a single account for access to several sites, a phising scam could be disastrous for a user. The sign-in seal is installed on an individual computer, not as part of your Yahoo ID, so each computer you regularly use will have to be set up with a sign-in seal.
Setting up the seal was very straight forward, with Yahoo providing jargon free information and FAQ’s such as "What is phishing?" to guide and inform even the most novice internet user.
Once the seal was prepared, I activated my Yahoo OpenID. The process was ended with a Yahoo gallery of OpenID enabled sites.
My technorati page, "Teenum on Technorati", was a service I had been using for some time as part of the blogging community. On using it to sign into a site, technorati asked me to grant permission for the site to verify my identity.
OpenID Security
OpenID frees the need for username and password login for numerous sites with the use of a cryptographic protocol known as the Diffie-Hellman key exchange. It is using these protocols that enable OpenID to authenticate a user without the need for them to sign-up to that site.
While OpenID has been developed with security in mind, it still stirs questions regarding credit card transactions, money transfers and personal information. Email authentication carries risks as it too operates as a Single Sign On (SSO) system. Every time a user selects ‘I forgot my password’ on a site or makes a payment, they are asked to authenticate via a confirmation email. Ultimately, anyone who has phished your email details could have access to every site you have registered to with that account and even payment details.
The fact that OpenID is implemented by the users URL connecting to the correct Domain Name Server (DNS) is also a cause for concern. The DNS can be exposed to DNS cache poisoning, so any reputable OpenID provider will be configured to only accept Secure Sockets Layer (SSL) connections.
One account for everything?
In general, Internet users register multiple accounts for services such email and social networking sites, this coupled with the diversity of services each of the providers offer conclude that many users will naturally have multiple OpenID accounts. This practice would be practical as users would not only reap the benefits of each of the services, but also still be able to login if one of the providers is down. It also gives users the option of choosing which account to associate themselves with depending on the circumstance, for example a professional profile for work related activity and a personal one.
» No Comments
There are no comments up to now.
» Post Comment
|
