Update: OpenID Gets Update: Is It Safe?
Update: Following the initial post of this blog entry, Janrain representatives contacted me with some factual corrections. I have updated the article with these corrections, and extend my apologies to Janrain for the errors.
The OpenID community released OpenID 2.0 last week, and Monday JanRain, one of the primary commercial sponsors for the protocol, announced their support for new spec, and I had a chance to speak to company founder Larry Drebes about the news.
I know, it doesn't seem like earth-shattering stuff. Online identity management specs get updated, news at 11? But as I was talking with Drebes, a couple of things stuck me: is JanRain too ambitious, and will that ambition get them into trouble down the line?
First, the news: OpenID is a single sign-on identity standard that lets users carry a single ID around to multiple (participating) sites. So, for instance, if LT recognized OpenID in its registration system, you could enter all of your personal info here, once.
Then, say, if you wanted to sign up for another site that used OpenID, you could use the same ID and password on the new site, and all of your info would be entered automatically. No more tedious typing of address, phone numbers, likes, dislikes, etc.
At this point, I am relatively sure the privacy advocates among you are rearing up in your seats, ready to blister the comment area with your thoughts on why this is not such a good idea, to put it mildly. Hold on as sec, I'll get to that.
The thing that makes OpenID different, at least to me, is that it does use an open standard--JanRain may have supplied 90% of the utilities and libraries used by OpenID developers, but they are not the only company that uses the protocol to create different applications for online identity management (there are currently four core OpenID vendors). The libraries that JanRain builds for OpenID are open source, too. According to Drebes, they were initially under the GPL, though lately they've been shifted to Apache, mostly because Apple's Leopard OS X requires it.
During my chat with Drebes, he said something that stuck me as odd: JanRain is still hoping to make OpenID a "mainstream protocol." He then innumerated 8,000 web sites that use OpenID, including "Google Blogger, AOL, VeriSign, France Telecom and Sun Microsystems." 8,000 web sites doesn't sound like a lot, it's true, but when you read which sites they are, that's a lot of users. 160 million, according to Drebes. Hello? That's not mainstream?
Drebes is looking down the road, I guess: he estimated that if all of the currently negotiating deals are put into place, that user number will grow to over 1 billion. I suppose that's what mainstream is.
As he was talking to me about all of this, and how OpenID works, my immediate concern was who gets to see all of this information? OpenID is decentralized--there's no hidden mountain repository of personal info for someone to crack into. But there seems to be the very real danger of less passwords to steal to grab my online identity. Right now, every commerce and social site I visit gets a different password, and often a different user name. If I used OpenID that number of IDs to steal would presumably be lower.
According to Drebes, new authentication features have been added to OpenID 2.0 that will reduce phishing and other password-grabbing techniques. I kind of have to wonder about this... a security feature is only as smart as the person using it.
OpenID 2.0 also has a new "directed identity" feature, that lets you have one identity on a web site, and another persona one another web site. There's new plug-in and extension capabilities, too, to allow providers to add new types of information that OpenID can track (their example: frequent flyer numbers).
On the surface, all of this seems like a pretty good idea. There are lots of nifty applications for this sort of thing, both for Internet user and enterprise IT managers looking to unify their ID-space.
If the protocol stays secure, that is. Being open certainly helps, since any vulnerabilities will get closed that much faster. But I don't think I'll personally be signing up for OpenID any time soon, mostly because I don't sign into that many sites. For those of you who sign up for lots of blogs and other social sites, it might be an option to explore.