One for all

You’ve had to remember all your different passwords for all those frivolous websites you visit and, inevitably, you’ve forgotten the one password you need to log into that one site that holds much of your critical data. Sound familiar?

Thankfully, in today’s digital world you need not necessarily experience this frustration because it is possible to get a single ‘master key’ that can make remembering hundreds of logins and passwords a thing of the past. Welcome to the world of OpenID.

What is OpenID?

OpenID allows web users to log in to an OpenID-compliant website using a single sign-in. These OpenID-enabled sites ensure that web users need not remember numerous usernames and passwords. Moreover, with OpenID, web users only need to be registered with an OpenID “identity provider” (IdP) while the technology itself is open source (free).

OpenID transforms a web user’s blog, photo-stream or profile page’s ‘Uniform Resource Identifier’ (URI – basically a web address) into an account that can be used to log in to sites that support OpenID logins. In fact, you might already have an OpenID if you use one or some of the following online services: AOL, Blogger, Flickr, LiveDoor, LiveJournal, Orange (France Telecom), SmugMug, Technorati, Vox, Yahoo and WordPress.com, amongst others.

Your OpenID is in the form of a web address or URI. So, if you blog on WordPress, for instance, your URI would look similar to the following – http://www.windows.wordpress.com.

To get one of these accounts, you’ll obviously need to register with your chosen online service, and your username and password with one of these accounts becomes the only username and password you’ll ever need to remember.

Bear in mind though that OpenID is still in its early stages, but it is becoming more popular. Apart from the online services mentioned above, large organisations such as Microsoft, Sun and Novell accept and provide OpenIDs, and it is estimated that there are over 100-million OpenID enabled URIs with thousands of sites supporting OpenID logins.

How does it work?

Firstly, to use your OpenID, log into your provider and click the ‘remember me’ checkbox that should accompany your OpenID provider’s login screen.

After you’ve logged into your OpenID provider, you can then navigate to those sites on the web that are OpenID compliant. Compliant sites will present you with an OpenID icon that should be visible somewhere on the page itself.

When you click on that icon, you will be redirected to a screen where you can enter your OpenID URL. That’s all that you enter – no email, no password and no username are necessary.

You’ll then be re-directed to your OpenID provider’s website to give authorisation to the website you want to access and your OpenID domain will be the only login you’ll ever need (if your OpenID is working properly).

Your next step will be to ‘white list’ the site you want to access. This ‘white list’ involves storing information on a file about all the sites you authorise. You will usually have the options of granting access to a site once or forever. You even have the option to deny the login process for a site altogether.

Finally, you’ll be directed back to the site you came from. Only this time, you’ll be logged in. The whole process usually takes about 30 seconds and it only requires two mouse clicks.

Who owns or controls OpenID?

OpenID is a product of the ‘open source’ community and, as such, OpenID is not owned by any one party. Anyone can be an OpenID user or an OpenID Provider free of charge without having to register or be approved by any organisation. The door’s open

Open Source in the IT world is a development methodology that makes it possible for any interested party to access a particular product’s source code. Using this code, a developer or a collaboration of developers can work towards adding further functionality to the core software itself via newer revisions or updates.

Brad Fitzpatrick (the founder of OpenID) says, “Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to be paid. It benefits the community as a whole if something like this exists, and we’re all a part of the community.

The pitfalls of OpenID

How safe is OpenID? OpenID does not use a central database for all the information about all its users. Each distinct provider, however, will have some kind of database containing information about its users. It is important then to choose a reputable OpenID provider to host your identity.

Whether you choose a reputable OpenID provider or not, you could still open yourself up to phishing attacks because of OpenID’s reliance on a second site for sign-in.

Many OpenID providers are addressing these phishing attack concerns, but the solutions are still being tested and each OpenID provider could end up producing their own solution. Many experts suggest that until this situation is resolved, OpenID is not suitable for high-privacy sites such as online banking or even online health services.

Other disadvantages concerning OpenID include OpenID’s current limited reach, the OpenID sign-in process and anonymity. OpenID currently has a limited reach in so far as it is only available for use with a few popular online services. As mentioned in this article already, there are thousands of sites using OpenID, but only some of these sites, such as Blogger, are visited by most web users.

Also, the OpenID sign-in process can be very confusing to some users as the OpenID sign-in requires going to your OpenID service provider’s site first before being able to log into the site you are visiting – not the normal single-sign-in process that web users are traditionally used to.

Furthermore, you can lose your online anonymity by using OpenID. With most websites with which you have a login, it is (usually) only that particular website that knows the information you provide them with. With OpenID you are combining many services together and therefore foregoing some level of anonymity.

There are ways however to circumvent these disadvantages by setting up your own OpenID provider: you can do this by installing phpMyID on your server space. This software acts as an “identity provider” so you can log in to OpenID enabled sites. Detailed instructions on how to use this software are available by visiting http://siege.org/projects/phpMyID/.

phpMyID is a single user IdP (you could however easily turn it into a multi-user setup IdP) that includes a single PHP script with minimal dependencies – there’s no need for a database, no need to make your file-system writable, no need to download any libraries and no need to recompile PHP.

This software is easy to install and configure; in fact, it just requires that you edit a few lines in a configuration file that you would install onto your server.

The phpMyID software comes with “Smart Mode OpenID”, which allows for more secure transactions. phpMyID even comes with a pure-PHP math library which can be used if you want that extra level of security.

phpMyID ensures your password is never sent or stored anywhere in clear or decipherable text by using a Hypertext Transfer Protocol (HTTP) Digest Authentication. This ensures secure password transmission even if you don’t have the use of a Secure Sockets Layer (SSL).

In conclusion, regardless of the above-mentioned pitfalls of OpenID, OpenID’s single sign-in feature and open source availability make it a good solution to the problem of trying to remember numerous usernames and passwords for those numerous sites that are not in the category of ‘high privacy’. But until the security issues around OpenID are resolved, this “Master Key” concept will always be susceptible to lock-picking.