General acceptance of OpenID moved a step closer earlier this week when Facebook announced its support for the emerging standard earlier this month.
OpenID is an increasingly popular way to authenticate to services on the Internet.
People who have an OpenID only need to login once, after which their OpenID identity will be used to authenticate with other sites that support the standard. This removes the need to login separately to each site, possibly having to recall a different username and/or password in the process.
Websites that support OpenID display the following icon:
Many big businesses are adopting the OpenID standard including Microsoft, Google, BBC, Yahoo, IBM, PayPal and VeriSign.
Using a single identity that has been generated from a trusted source has the advantage that you don't need to provide a password directly to the site - this is particularly useful if you are unsure about that sites security procedures or commitment.
Using a single identity (or 'sign-on') is also very convenient, as you no longer need to record a specific username and password for that site, or risk using 'common' credentials (ie the same username and password used elsewhere).
Consider the numerous high-profile cases of data-thefts that have made headlines recently - one prominent instance was the security breach at Monster last month where millions of usernames and passwords were stolen. One of the main concerns was that the stolen usernames and passwords would provide the culprits with access to other popular websites (eBay, for example) as users may have used the same values rather than trying to remember different credentials for different sites.
Websites that offer authentication via OpenID never see a users password - consequently security breaches that result in stolen data, while still very serious, should have less impact on the users of that website, as their passwords will not be compromised.
Users with an OpenID can login to sites that support the protocol by only providing their OpenID identifier to the candidate website.
The website that the user is trying to access first identifies the users OpenID 'provider' (ie the organisation responsible for issuing the OpenID to that user in the first place). A trusted connection is then established between the site the user is trying to access and their OpenID provider.
Once this connection has been established the OpenID provider will directly prompt the user for their OpenID password - the site the user is trying to access does not see this stage. Assuming the password is correct the OpenID provider will then ask the user to confirm that they 'trust' the site they are trying to access and confirm that their personal details can be passed over.
Once the user confirms that they 'trust' the site their credentials are transferred and the user is authenticated to the site - all this without that site ever having seen the users password...
Increasing acceptance of OpenID may reduce exposure to (and the popularity of) so-call 'phishing' scams, as users will not be inadvertently typing usernames and passwords into fake sites.
The use of OpenID also offers a seamless authentication system that could work well with 'cloud computing' concepts, by allowing users to easily authenticate with disparate services provided by many different organisations throughout the 'cloud'.
