OpenID and the Value of Connected Identity

by Fred Stutzman
February 21, 2007

1. The Problem: Too Many Identities

We're all too familiar with this problem. A colleague, friend, or family member tells you about a great new website. You head over to the website and trudge through the signup procedure only to find out that your username's already been taken. Even worse, you've got to think up a new username, create a new password, and hope in vain that you'll remember these credentials the next time you attempt to log in to the website. I think we all find this process unnecessarily burdensome, yet we're forced to do it every single day.

Remarkably, it turns out that every party involved in this frustrating process knows that it is fundamentally flawed. You, the consumer, have a hard time remembering usernames, passwords, and whatever email address you provided to the site. The site developers know that the registration process is inefficient and annoying, and provides a significant barrier to the uptake of their product. It seems that everyone agrees this process is in need of improvement. As it happens, there's a community of engineers, interface specialists, evangelists, and even business types working to solve this problem in a collaborative, open fashion.

Originally designed at Six Apart by Brad Fitzpatrick (creator of LiveJournal) with assistance from David Recordon, OpenID is an elegant, simple, and scalable solution to the Web's multiple identity problem. At its essence, OpenID allows us to securely log in to a website without having to create a new username or password. For many of us, the thought of not having to create new usernames and passwords evokes images of the heavens parting and angels trumpeting. Of course, the OpenID community has work to do before that's our everyday reality, but with each passing day it gets a little closer. Let's take this opportunity to look at OpenID in a little greater detail.

2. Exploring OpenID

OpenID is a decentralized, user-centric URL¹-based identity protocol. It sounds complex, but it is actually quite intuitive. On the Web, URLs are unique. If you type "http://google.com" into a browser, your browser is only going to go one place--Google (of course this assumes you're on the open web). This is because http://google.com is Google's unique web identity, and that address won't resolve to anything except Google's servers.

Unfortunately, digital identity isn't this straightforward with humans. While we all are unique in many ways, our names unfortunately aren't. This presents a problem to system designers: how do we give all the Jane or John Smiths an identity that properly suits them? URL-based identity requires us to think a little bit outside the box. If we represent our web identity with a URL, this URL is guaranteed to be individual and unique across services.

We're all too familiar with the old identity system problem. If Jane and John Smith are signing up to a hot new website, they are going to fight over who gets their favorite username: jsmith. Whoever registers first is going to get this identity, and the other is going to be forced to use another username, like jsmith1 or josmith.

With OpenID, both users register with their identity URLs, which are guaranteed to be unique, representative of the individual, and tied to the same individual across all web services. What does an identity URL look like? For example, mine is http://claimID.com/fred. No one else can own this URL, and it is unique on the internet. Of course, we may not all want our identity to be represented by a URL. OpenID solves this problem by allowing us to mask our URLs into something more friendly (like a username).

Using a URL as a representation of our identity has another really nice benefit: it allows us to decentralize the brokering of our identity. When we log in to a site like Gmail or Amazon, we are forced to use the identity system provided by that website. This means that the proprietor of the website is responsible for the design, implementation, security, and maintenance of that identity system. It also means that things like our name, personal identity information, and password are stored on the system.

As OpenID is decentralized, it allows us to keep our identity information in the place we choose. When we use OpenID to log in to sites, the only mandatory information transfer is a shared token between the website and our OpenID provider. Put quite simply, there's no requirement that you give that new website your identity information, password, or anything else.

At this point, a metaphor might be useful. Imagine that you were the superintendent of an apartment building. For each tenant, you'd agree to a passcode that you'd yell through the door each time you needed to be let in to do maintenance. Of course, this method would be horribly inefficient and error-prone. What if instead of a passcode there were a personal master key, which would allow you access without having to shout information through the door? Indeed, this would be the more efficient solution. OpenID is essentially your master key to all of the websites you wish to visit. No need to shout information (like a password or email address) through the door; all you need is the key that you control and carry with you.

3. User-Centric Identity

This finally brings us to the idea of user-centric identity. In the past, corporations have worked really hard to create centralized places for identity. Why? First and foremost, this was a business decision. But was it a good business decision? As it happens, we aren't always comfortable with having our identity centralized in one place; plus, this sort of violates the open, distributed ethos of the internet. How odd would it be if everyone on the net just used Hotmail or Gmail for email, and there were no other providers?

OpenID's user-centricity means that individuals can make a choice about where to host their identity. There are many OpenID providers to choose from, including ClaimID, MyOpenID and VeriSign's PIP, and if you don't like any of those, you can just install and run your own OpenID provider. (All you need to do is upload one PHP file!) Not only do you get to choose where to host your identity, user-centricity means that you have control over your information, where it goes, and who has access to it.

4. Using OpenID

Now, it might be useful to step through an example of using an OpenID. First and foremost, you'll need an OpenID provider, often called an identity provider (or IdP). Yes, you'll need to sign up for this OpenID provider, but we in the OpenID community get around this irony by telling you that (hopefully) it is one of the last identities you'll ever need. In this example, we'll use ClaimID, the project I run with fellow PhD student Terrell Russell.

After you've signed up with ClaimID or any other identity provider, your home site in the service is your identity URL (like I said before, mine is http://claimid.com/fred). This identity URL is an OpenID, the master key you'll present to websites for authentication.

OK, so now you have an OpenID. Let's use it to log in to a site. In this example, we'll use Ma.gnolia, the social bookmarking service. The login process is quite simple, actually. All you need to look for is the text box with the OpenID logo, and then type your identity URL into the box and hit Submit.

Once you do hit Submit, something interesting happens. You are transported back to your OpenID provider (in this case ClaimID), and asked for your password. After you type in your password, you are sent back to Ma.gnolia, now logged in. The elegance of the transaction is in its simplicity. You have one password for your OpenID provider, which you can then use to log in to any site that supports OpenID--over 1000 websites² and growing, including a number of major sites.

5. How OpenID Works

While the technical specifics of OpenID are beyond the scope of this article, the mechanics of the login process boil down to the transfer of a shared secret. When an OpenID-enabled website attempts to authenticate with an identity provider, those two entities complete a handshake in which they compare a shared secret. An interesting part of the OpenID protocol is that the authentication mechanism for verifying OpenIDs is not set in the specification. This means that OpenID is not tied to a single form of authentication. For example, one OpenID server could use passwords as its method of authentication, while another could use Microsoft's CardSpace as their method of authentication. This extensibility is vital, as it ensures that OpenID is not tied to a single form of authentication. As our methods and means of authentication improve, OpenID will be able to scale with these developments.

6. The Value of Connected Identity

From a very practical standpoint, OpenID makes sense for companies and consumers. It provides a simpler login process, it reduces the frustration of lost or misplaced passwords, and it could reduce cost overhead by reducing time spent managing account systems. However, I feel the true value of OpenID shines through in the context of the social web, or Web 2.0.

The social web is inherently identity-centric. In it, we are all peer producers, creating content across a variety of services. Therefore, it only makes sense that we would want to tie our identity together across these services. However, with Web 2.0, we are still forced to create a new account on each site, ensuring the non-transferability of identity and reputation between two sites. Not only is this inconvenient, it just isn't fun. If I'm creating great content on a photo- or video-sharing site, why wouldn't I want to verifiably tie that content to something like my social network profile or blog? With OpenID, it is effortless to be the same person across those domains, making individual presence in each domain more valuable.

Of course, this is simply one example of the cross-domain collaboration we can imagine with OpenID. OpenID 2.0 will support a rich namespace for the transfer of semantic data between services; essentially, your OpenID could serve as a fully dynamic bridge between services. Consider the following example: imagine that you have an identity set up in a social networking service. You're happy with this identity, you've invested a good amount of time creating this identity, and you aren't ready to throw it away. Unfortunately for you, your new coworkers all host their profiles at a different social network service. You want to be their friends, see the events and groups they create, but you're also not ready to leave your old identity behind.

Unfortunately, situations like this happen every day. Users are forced to split their time between services and create multiple identities, all the while devaluing their experience on every site involved in this process. Let's imagine an alternative scenario. Imagine your social network (A) and your colleague's social network (B) were both OpenID-enabled. You'd be able to log in to social network B with your social network A OpenID, befriending your new colleagues and gaining access to their social networks. You'd be able to keep your rich identity at social network A, without devaluing your experience on either site. In this example, you'd be less likely to leave your original social network, and you'd still be an active participant in social network B. In this case, everyone wins.

Unfortunately, this isn't the world we live in; at least not yet. A large number of businesses believe that controlling and owning an individual's identity is a key factor in driving lock-in. This model is flawed in the context of Web 2.0, where our identity is spread widely over a number of different sites. In fact, it is this desire to lock us in that users find so annoying; we should be able to effortlessly move through sites while retaining our identity in a place of our choice. With OpenID, the Web can realize the value of this transportable, user-centric identity.

7. Directions for OpenID

As websites embrace the value of transportable identity, they will find a vibrant community of exceptional individuals working on this cause. From its inception in 2005, OpenID has moved quickly from a protocol specification to a usable, robust, enterprise-grade identity technology. A community marketing foundation has dedicated $50,000 to funding the development of OpenID in major open source software applications. Currently, an OpenID foundation is being set up, one that will guide OpenID's growth, all the while staying true to the central tenets that OpenID is a protocol, one that can't be owned, bought or sold.

Over the next year, the OpenID community faces a number of significant tasks. First is the finalization of the OpenID 2.0 specification. OpenID 2.0 provides much advancement that will cement its viability as a robust, enterprise-grade identity system. At the same time, the community must rise to deal with security and usability threats. Primary amongst the security threats is phishing, and the OpenID community has already spun up a number of potential solutions to this internet-wide problem. On the usability front, the community must design a user experience that will make sense to the average user. As flawed and outdated as the current identity model is, it is the model the Web understands. Moving to a new type of login experience should be handled with care; all of this work is for naught if average users can't get it.

Finally, there must also be adoption. Over the next year, forward-thinking companies must look beyond the walled-garden model of identity to realize the value of user-centric identity. Thankfully, it looks like many companies are embracing this reality, as new OpenID-enabled sites sign on each day. As more sites embrace OpenID, and more users are enabled with OpenID, classic network effects will emerge. The more we can do with our OpenIDs, the more valuable they become. Accordingly, these OpenIDs will eventually become so valuable that major identity players will be see their value. Nowhere was this more apparent than the announcement that Microsoft will integrate their CardSpace system as an authentication mechanism for OpenID.

In many ways, OpenID has come a long way from its original implementation by Brad Fitzpatrick. OpenID has a growing community, a number of companies working on OpenID-based solutions, and a growing cadre of developers contributing to its ongoing growth. At the same time, OpenID has stayed very close to its goals, remaining a non-commercial, no-nonsense protocol that solves a real-world problem in a useful way. Perhaps that is the secret to OpenID's success; it is a project with a noble mission led by dedicated people. That, and it's going to change the Web for the better, for all of us.

Footnotes

¹ Technically, OpenID is URI-based (URI, or Uniform Resource Identifier, is the parent class of the URL).
² 1000 sites, per David Recordon of OpenID

References

• OpenID.net: The OpenID home site
• IwantmyOpenID.org: "The community marketing home of OpenID"
• ClaimID.com: OpenID provider co-founded by the author
• ClaimID.com/fred: The author's OpenID identity URL