Thursday, March 01, 2007

5 Reasons: OpenID Is Not For Me

You may be willing to trust your online identity to an OpenID service provider or ID broker; not me. Here are five good reasons why I want to stick with user names and passwords to identify myself to parties I deal with on the Internet.
  1. I understand user names and passwords. OpenID is an evolving open standard. It will be implemented differently by different ID brokers. It will also be implemented differently by web sites for authentication and security purpose. There is a lot I don't understand about OpenID.
  2. I don't want security to be transparent and unobtrusive (see below). I want to log in as I move about the Internet, so I know when I am more or less anonymous versus when I am a client or customer. I want to fill out a form to register on web sites so that I control what different organizations know about me. If security is transparent and unobtrusive, I won't be able to tell when security is on, and I won't know who knows what about me.
  3. The OpenID authentication process is vulnerable to man-in-the-middle phishing schemes. If one of your OpenIDs is stolen, the potential for harm to you is substantial.
  4. People are probably going to have more than a few OpenIDs, each with several profiles, with different ID brokers (AOL, Yahoo!, VeriSign, et al.). Keeping track of these ids and profiles will be no simpler than managing user names and passwords. Unless and until OpenIDs replace user names and passwords, OpenIDs will be an extra layer of complexity for users to contend with.
  5. Having users with multiple OpenIDs presents real challenges for organizations doing business on the Internet. One individual's data at a given organization may be associated with multiple OpenIDs. This will complicate that organization's data mining and customer service efforts.

Unobtrusive Security: One of the promises of OpenID is that it will make it easier for users to gain access to web sites (originally blogs). No more filling out forms to register to use a site. Just use your OpenID. Web sites may request your OpenID and check with your ID Broker to register and authenticate you. Once you log in with your ID broker, your OpenID is verified and certain authentication and demographic information that you have provided to your ID broker is passed to the requesting web site.

If you have an active session with your ID broker, all you have to do is give your OpenID, and the authentication and demographic information is passed to the web site. No login required. To further simplify the process, a web site may unobtrusively read your OpenID, register you and log you in without your involvement in the process.

12 comments:

nferrier said...

actually OpenID can solve all these problems. Check out http://prooveme.com which is a strong authentication OpenID provider based on SSL client certificates.

prooveme is NOT vulnerable to phishing; in fact, it can't be broken at all, except by you giving your machine to someone else.

Other strong authentication schemes are also possible, SecurID cards for example might be the strongest possible authentication.

bgold said...

You pretty much have most of the details about OpenID completely wrong. Feel free to shoot me an email for clarification.

John Redmond said...

Who has it wrong, nferrier or me? If it's me, please post here.

Sean said...

Point by point thoughts:

1. Instead of the site you start on asking you for a login name/password (or was that email/password?) you will have access to consistent login interfaces that implement a level of security you specify based on the providers you pick. (login/pass, security certificate, biometric data, etc.)

2. The openID provider is transparent to you, on the user's end. Signing up to a new site with your openID? The provider will confirm what details will be sent to this new site by asking you permission first. For many sites, like making a blog comment, all the blog site will do is confirm your openID is real and authorized, and then match your post to that openID address. When authorizing on a new site you can tell your provider that it is a "one time permission" or to "allow authorization to the site in the future." The openID provider will tell you what information is being requested, and check that you do wish to send it.

Some openID providers already allow you to have multiple profiles on your one openID, so you could send different profile information to a site requesting that information.

3. A previous comment (re: strong encryption) covered this.

4. It is good people can have any number of openIDs. Want all of your eggs in one basket, from an openID server you are running yourself? Feel free. Want/need one profile for work sites and another for personal? Why not. Want to do it old school and have one login/pass for each site. Make a new open id for each site you go to, if that is what you fancy.

5. From a client standpoint, some would prefer this. Also, is this so different then a user having several email addresses? It would not be hard for several companies/services to add a relational table listing multiple openIDs associated with the user to tie all of their information together. From a user standpoint it would be good to have a few openIDs associated with an account, in the event your openID provider's services were unavailable.

John Redmond said...

Thanks for your comments, Sean. Here's where I differ with you (point by point):
1- Yes, the login interface to your ID Broker will be consistent, but that is not "the site you start on." The site you start at asks for your OpenID and then you are handed off to your ID Broker (if you are not currently authenticated). Then you are passed back to the site you started at. Some of the sites you start on may try to "unobtrusively" log you on while others will always have you visit your ID Broker.
2. If I have a lot of OpenIDs and multiple Profiles associated with certain OpenIDs and I have active sessions with certain ID Brokers, I don't know what info a site could get about me through unobtrusive methods.
3. See my post, Gimme KeePass.
4. Security AND simplicity is the Holy Grail.
5. If organizations are going to have a table to relate you and your various OpenIDs, then you are going to have to have an "account" with them, and you are going to have to have a user name and password to access the account. OpenIDs are just a useless layer then.

bgold said...
This comment has been removed by the author.
bgold said...
This comment has been removed by the author.
bgold said...

Hi John,

My earlier comment referred to your confusion. nferrier was absolutely correct.

1. If you'd like to understand more about OpenID, check out their website, read some of the presentations, and watch some of the videos. OpenID may be implemented differently at each identity provider (i.e. producers), so you can choose which provider you feel most comfortable and secure with. The security at the service providers (i.e. consumers) is irrelevant since they only have your username but never see your password.

2. You'd never automatically be logged into a site that you didn't trust. You'd still have to login at each site, but instead of memorizing different usernames and passwords for each site, you'd just be using the same OpenID each time. And a site would never learn any information about you separately than what you provide, since no identifying information besides your authentication credential is stored by your identity provider. You'd still need to fill out forms at each website to control what information different organizations have about you. Therefore, security is indeed transparent and unobtrusive, but not in the ways that you were thinking.

3. The OpenID authentication process is no more vulnerable to man-in-the-middle techniques than email login, and with SSL, this is very secure. The repercussions for someone stealing your OpenID are no worse than someone stealing your email password, since a phisher can click "Forgot Password?" link at most of your sites and have new passwords mailed to the email address that they now have access to. With identity "delegation", OpenID can actually even recover from this sort of mess. I can give you more details about this via email.

4. The idea is not to have different OpenIDs at AOL, Yahoo, VeriSign, Digg, WordPress, etc., but to choose one or two providers and stick with those (e.g. one for personal, one for business). If you chose Yahoo as your identity broker, you should theoretically be able to login to WordPress with your Yahoo-provided OpenID. So you're keeping track of less login information -- just the one or two OpenID, instead of dozens of usernames and passwords. There are no extra layers -- OpenIDs replace usernames and passwords, instead of existing on top of and in addition to them.

5. Again, users should not be associated with myriad OpenIDs. They should choose one or two providers and stick with them. And they would only use one OpenID per organization. If they used a second OpenID with an organization that knew about their first, the second OpenID would act as a separate, distinct second account with that organization, similar to how you may have two separate Blogger accounts that are unrelated but still both belong to you.

Overall, you seem to have confused most of the basic facts of OpenID. I think you'd really embrace the system if you understood all its nuances and consequences.

John Redmond said...

Thank you for your comments, bgold. You did clarify one point for me, but I am still not ready to endorse OpenID.

Like I said in my original post, there is a lot I don't understand about OpenID. Your point #2 is one of those areas I don't understand.

According to Sam Ruby, at http://www.intertwingly.net/blog/2006/12/28/Unobtrusive-OpenID, if I have a session going with my ID Broker (i.e., I am logged in to my site), he can unobtrusively authenticate me on his site. He demonstrates it on his blog!

You are right that my ID Broker will not share any information with Sam unless I have already trusted his site. But, what is to stop Sam from claiming to my ID Broker that his IP address is a branch of the amazon.com root in order to get info about me (if I have trusted amazon.com)?

I do not follow your comments about phishing in your point #3, nor do I agree that the security (reliability?) of service providers (i.e. consumers) is irrelevant (your point #1). See Ben Laurie's OpenID: Phishing Heaven (href="http://www.links.org/?p=187).

Regarding points #4 and #5, as more and more ID Brokers pop up, people will have more than a few OpenIDs. Say I log in to AOL, and they set an OpenID cookie that is read by Sam's web site when I visit there and he unobtrusively authenticates me. Next time I log in at Yahoo! before visiting Sam's web site. I'm sure the details are not exactly like I describe them here, but my point remains... OpenID is not for me, gimme KeePass (http://keystoneisit.blogspot.com/2007/03/gimme-keepass.html)!

bgold said...

Hi John,

If you can explain what you don't understand about points #2 and #3, I can try to clarify in a later post.

1. First, a summary. OpenID boils down to this: it replaces logins, with no added trickery or complexity. If a site decides to use OpenID, think of it as an extra login box where you're free to use an OpenID instead of a site-specific login. That's all it is. Instead of managing 100 usernames and passwords for all the sites you use, you would only need to manage one or two. It's very similar to Microsoft's Passport initiative, where hundreds of websites (including big names such as eBay) allowed you to login with your Passport account instead of making a new account. The only difference is that instead of being locked down to using Microsoft as your ID Broker, you're free to choose any provider you'd like.

Moving on to your concerns:

2. What is to stop Sam from claiming to your ID Broker that his IP address is a branch of the amazon.com root? The fact that he doesn't have access to amazon.com's DNS records -- it's impossible for him to make the claim that he is part of amazon.com without modifying those DNS records.

Think of the ramifications if this sort of spoofing were possible. If nefarious websites were able to claim that their IP addresses are a branch of amazon.com's root, then OpenID is the last of our problems. Phishing websites would already be able to steal your information under the current system by spoofing as amazon.com, stealing your amazon.com cookie, and reading your credentials from that. Fortunately, this is not possible.

3. Ben Laurie's post on OpenID brings up some interesting points but is also misguided. Users can check to see if they are truly at their OpenID provider (as opposed to the fake one that Ben envisions) by checking their browser's address bar. Additionally, if your OpenID provider were to use CAPTCHAs (as more and more websites are starting to do, including Yahoo, AOL, and the rest of the major players), his scheme would be impossible.

4. Your last remark, regarding point #4 and #5, explains your confusion about OpenID. Logging in to AOL does not set an OpenID cookie that Sam's website will use. Likewise, logging in to Yahoo does not set an OpenID cookie that Sam's website will use. In fact, even if these cookies were set, Sam's website would not be able to read these cookies since those cookies don't belong to Sam -- they belong to AOL and Yahoo. The fundamental tenet of security on the world wite web is that sites are only allowed to read cookies that belong to those sites.

To login at Sam's site, you explicitly choose which OpenID to use. If you wanted to login with your AOL login, you login as "openid.aol.com/john.redmond" with your AOL password, and if you wanted to login with your Yahoo login, you login as something like "openid.yahoo.com/john.redmond" with your Yahoo password (assuming john.redmond was your username at both sites, and that their OpenID servers are located at openid.aol.com and openid.yahoo.com).

5. Just because new sites support OpenID doesn't mean that you gain a new OpenID at each of those sites. The goal of OpenID is for each user to only maintain a few OpenIDs. For example, if AOL and Yahoo both supported OpenID, then you should be able to login at AOL with your Yahoo OpenID without ever registering at AOL for an AOL OpenID.

I'd like to be able to fully explain OpenID to you so that you will support it, but first I encourage you to clear your mind of your current misconceptions of what you think OpenID is about, and read some of the documentation at openid.net. If you ultimately choose not to support OpenID because you don't understand it, more power to you. Either way, I guarantee that OpenID is secure and easy to use, even if it is hard to explain. OpenID is coming and it will make the internet easier and more useful for the masses.

-Brent

John Redmond said...

Brent - Thanks for your persistence. Based on your comments, I got myself an OpenID, and I am trying it out. So far so good.

No doubt, I'll have more to say about OpenID in the future Thanks, again.

John

Paul said...

I love the fact that you can now use you own domain name as your OpenID. I show how to do this with WordPress at paulmyatt.com