OpenID and the Identity Systems of Yahoo, Google & MSN
Written by Emre Sokullu and edited by Richard MacManus
You may've heard of OpenID - it's a distributed identity management system, a.k.a. a decentralized single sign-on platform. We prepared a screencast to better explain the idea (see Flash movie below). After that we present a more detailed explanation, focusing particularly on Yahoo and Google.
In the screencast we use a real world example to show you what OpenID is. Firstly we create an OpenID account at one of the best known free OpenID servers, myopenid.com, then we use our new account to sign in to the following supported sites: Grou.ps, Zooomr and WikiTravel. Note that we could use any OpenID provider, like ClaimID or vIdentity, but for the sake of simplicity we've chosen only one. Here's the screencast:
Note: click the play button to start
As indicated in the screencast, OpenID saves you from the hassles of creating and managing new identities for various web app. But it works both ways - service providers also save time and money by outsourcing their user identity management to this reliable and neutral network.
Single Sign-On and The Big Internet Companies
The big idea in OpenID is providing a decentralized single sign-on platform. Single sign-on is not a new notion however. Almost all the internet giants, like Yahoo, Google and MSN, use single sign-on across their properties to lower the threshold of accessing their services and to create a competitive advantage. The reason they do this is that signing up is actually a big barrier to entry for users of web apps. Users feel more comfortable when they don't have to sign up to use an app - it's much easier to give it a try and it's less time-consuming to start using it. That's why most web sites today try to keep sign up process as short as possible. Here's a graph which illustrates this:
From this point of view, OpenID can be seen to resemble Yahoo - the biggest single sign-on strategy player in the history of the Internet. In the late nineties, Yahoo's strategy was to create a big portal and make their properties seamlessly accessible via single sign-on. This could also be called Yahoo's sub-internet - and it worked too for a while. But then Google came along and swept up everything with a whole new search-centric approach. In Google's new paradigm, search was the key - but single sign-on was still used. With Froogle or Google Book Search for example, they could compete with Amazon in the book sales arena.
Although Google's approach seems more successful now, and the other bigcos have adopted the search-centric model, single sign-on is still a very important paradigm. Therefore OpenID can provide the advantages that Google, Yahoo and MSN have, to all other independent sites - in a decentralized, open fashion.
A Brief History Of Sign-On Approaches
| 1994 | Yahoo Initiates Single Sign-On Paradigm; Company Foundation |
| 1998 | MSN Starts its own Single Sign-On Paradigm; Announcement of MSN Passport |
| 1998 | Google Initiates Search-Centric Paradigm; Company Foundation |
| 2002 | Yahoo Follows up with Search-Centric Paradigm; Acquisition of Inktomi |
| 2004 | Google Starts its own Single Sign-On Paradigm; Gmail and Google Accounts |
| 2004 -2005 | MSN Follows up with Search-Centric Paradigm; Live.com |
| 2005 | OpenID Initiates single sign-on for independent sites; Project Foundation |
Origins of OpenID
OpenID was the brainchild of Brad Fitzpatrick, who is also known for memcached and LiveJournal - the popular blogging platform which was acquired by Six Apart in 2005. Today, OpenID is backed by Six Apart and several others including VeriSign. Commercial support is the biggest reason for OpenID's existence and growth. Similar to the RSS effect, OpenID creates many business opportunities around it. ClaimID is one of the best known commercial OpenID providers, whose business model can be compared to FeedBurner.
OpenID is being managed under meritocracy rules, just like any other big open source project. Specs are under continuous development. The current spec 1.1 will be deprecated in favor of the upcoming 2.0, which will feature YADIS service discovery, security enhancements, anonymous logging capability and XRI (i-name i-number).
Current Status
The number of sites that implement OpenID is low for the time being. Zooomr is known to rely solely on the OpenID identity management system. However, many others like Grou.ps (my company) and WikiTravel are more conservative and choose to offer OpenID as an option, besides the traditional sign-on model.
Brad Fitzpatrick's LiveJournal is one of the largest OpenID supporting sites, however it is used only to add comments and not create a fully functional account. Recently Technorati was invited to initiate OpenID support, however their support is limited to a few functionalities only - similar to LiveJournal.
OpenID advocates have tried to attract Yahoo and Google for support, but this does not sound feasible because of the business models established on their proprietary single sign-on mechanisms. Wikipedia, however, is expected to support OpenID soon - thanks to a patch created for WikiMedia, the open source wiki software powering the encyclopedia giant.
As for general OpenID usage, it's impossible to have accurate information on that - as the system is decentralized. However, the number is certainly not at a satisfactory level yet, but is expected to gain momentum as of version 2.0 which has greater stability and will get better media coverage.
Concerns
Even though the system is completely decentralized, OpenID still raises privacy concerns. Some people don't want to have a central place that binds all their accounts. Another criticism is whether the system is fully de-centralized? As always, this space is vulnerable to one provider eventually dominating it. So any disequilibria may put the neutrality of the system under question.
Share7 TrackBacks
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/2929
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Check out the latest Identity 2.0 service from Numly called Vouchor.com. This service consists of a network of people that have had their real-world identities vouched by others in person. In addition to establishing someone's real identity online, Vouchor has just unveiled a karma reputation engine as well as a single sign-on (SSO) solution. Each vouched person is assigned a Vouchor ID which is truly a 19 digit Numly Number. The SSO API can be called and the Vouchor ID passed along with the user entered password and a boolean true or false is returned to the calling application along with basic meta data about the vouchor.
This establishes:
1) Universal SSO
2) Real-world identity
3) Open reputation
Let me know what you think!
Thanks for the links, Chris.
We are planning on bigger things for 2007. OpenID is a big part of the awakening of identity management by and for individuals.
Terrell
http://claimID.com
And by Chris, I mean, Emre.
How would OpenID work with the recent announcement regarding Microformats in Firefox? As I understand it, id information could just as easily be stored in Firefox's Microformat database. Is there a tangible difference if someone authenticates using OpenID versus stored Microformat data via your browser?
Perhaps if I need to hop from machine to machine, but then the question is which approach addresses the mainstream. Without seeing numbers, my guess would be the browser based Microformat database.
The privacy/security issue you note isn't with OpenID itself - it's with the OpenID host. You can always host your own identity.
"Wikipedia, however, is expected to support OpenID soon - thanks to a patch created for WikiMedia, the open source wiki software powering the encyclopedia giant."
The patch is created for MediaWiki, the actual software.
WikiMedia (the foundation/developers) is planning on rolling out the patch to their MediaWiki software as well as to all their Wiki sites (Wiktionary, WikiPedia, etc.).
Please make note that it matters which one you reference :-).
Also, shame on you. You and every one who touts OpenID, but doesn't allow curious visitors to actually try it on your own site. ;-)
There is a consumer for MT already, officially by SixApart no less.
By the way, Chris;
Vouchor is a stupid concept that is doing nothing but re-inventing the wheel. We already have vouching for identity/security services. It's call SSL and GPG.
Not to mention that both are insanely more supported than some new upstart that introduces nothing new when trying to penetrate the market.
Also, identifying (and undescriptive) numbers should be dead, seeing as ICQ is more or less already.
I apologize if that sounded harsh, but I see the concept as fundamentally stupid given the popular and active technologies we already have.
And one more (mature) identity authentication service that was notably absent from the article and subsequent discussion -- inames.net (http://inames.net/) which is based upon the XRI Open Standards (http://www.xdi.org/).
This article could have used more thorough research.
Jason, I didn't get some of your points. But first let me correct this, yes this was a typo, not WikiMedia but MediaWiki or whatever, we know that it's the software that powers Wikipedia. But Wikipedia is subject to use OpenID as well, there are some discussions going on - http://iwantmyopenid.org/node/12
MT? You mean MovableType or what?
I think the risks of one party dominating the openID space are negligable since it's very easy to host your own openID server . Furthermore you could use your own domain as your openID login and have it delegate authentication to any openID provider you want. When your unhappy with it just switch providers while your id remains the same.
Yes, I meant MovableType.
There are OpenID consumers for commenters, yet you aren't using one.
I'm always amused when someone speaks about a technology, yet doesn't offer visitors to use it.
Yes, there are other big name sites (LJ, Zooomr, schtuff, etc.) they can use it with, but it's that whole adoption thing, showing off that you support it by actually supporting it in your projects, or ones you assist with (i.e. this blog).
I suppose if you are (speaking generally, not YOU yourself, Emre) were just an editor or some kind of content producer, and not a technical director or CIO or similar, then you'd have no say in it.
But hey, it's 1:45AM and I'm rambling and feel like I'll be misunderstood left and right.
Hopefully some sense and clarification came from this.
All I'm getting at is:
I don't want to enter my name.
I don't want to enter my e-mail address (required! but not shown to the world!).
I don't want to enter my URL.
I want to enter my OpenID, have some magical profile exchange whizbang done for me transparently (barring clicking a "send my information to readwriteweb.com" approval, of course), and be done with it.
@Tijs, but who would care that? For me, there's no problem, personally, I'd trust those who dominate as I trust Google, but there would be question marks I think as in the case of Google.
What about Windows Cardspace and all the identity work from Kim Cameron? I have no idea how that got missed out from this writeup when talking about Microsoft and identity
@Sriram: This is rather about single sign on systems - from this perspective, I call OpenID as OpenYahoo
Jason, thanks for the suggestion! I will look into this for R/WW, which does indeed use MT.
Also available, but not mentioned here, is Yahoo!s relatively new BBAuth (http://developer.yahoo.com/auth/) service which allows people to use their Yahoo! ID with 3rd party sites - similar in use to Open ID.
Maybe I'm missing something about the way this is implemented, but doesn't this seem especially prone to phishing attacks?
For example, in the case of Google - I have my "GoogleID" which I use on any www.google.com page. If I find myself on a page www.phishingpage.com and it's asking for my GoogleID, I know something is wrong and I won't enter it. (Ditto for Yahoo, MSN, etc.
With "One ID to rule them all", any one-man web 2.0 company can start legitimately asking for your OpenID account information; the same account information I'd be using to log on to Gmail, for example.
What am I missing here, what protection does OpenID offer against this?
Eric,
It is the OpenID server's responsibility to smooth the waters for its users an get them used to looking at something personalized (to fight phishing).
The PIP server at VeriSign already does this (and is opensource code underneath) - http://pip.verisignlabs.com/ - code at - http://svn.apache.org/repos/asf/incubator/heraldry/idp/pip/trunk/ - housed under the Heraldry project at the Apache foundation.
Upon creation of an account on a PIP server, you are asked to upload a unique personal image that is displayed whenever you return to that server. It is hard to phish that site since any illegitimate server that looks the same as your home OpenID server would not have that unique uploaded image (only resident in your *real* account).
So yes, this is an issue, but can be effectively dealt with on the server side with some education and expectation setting by the server itself.
Terrell
Thanks for the analysys:-)
btw there's a typo in ClaimID url.
"Here's a graph that illustrates this"
ROFLAMO
I'm going to start designing arbitrary charts of my own too! Not that I disagree with your premise or the content of the article at all, I just laugh when I see things written as if there is hard data behind information without any references what-so-ever. I'd be really interested to know which group commissioned and performed the study that generated that graph.
If I understand correctly, the way it works is that
www.phishingpage.com ask for your openid url.
Then they redirect you to www.google.com and where you enter your account information, and then google.com redirect you back to www.phishingpage.com.
Eric, it's not prone to phishing attacks. We're completing BBAuth yahoo and openid integration for a couple of properties now. In the case of BBAuth, you bounce out to a Yahoo! page, authenticate, then your site is passed a user hash and from that the user can start building their profile on your site. It's just authenticating that they have a valid account with Yahoo!, we don't actually get access to their Yahoo! services, and the user doesn't have to create a new account.
So in your phishing example the site could then allow you to login to their site, but they never get access to your credentials required to read your yahoo mail or gmail account. The annoying part about Yahoo! is it expires in 2 weeks so you have that same round trip as far as we can tell to authenticate.
Back to when Microsoft acquired Firefly out of MIT, they set forth on the path of delivering universal authentication. Unfortunately, it got buried under Microsoftness keep it in their camp, to the point they even had sites needing to certify that they had enough microsoft servers behind the scenes to use the passport.
The Yahoo! user base is so large that it's highly appealing, and not impossible to add authentication across all three (openid, bbauth/yahoo, google) to make it as easy as possible for people to try your webservice.
I can think of a disincentive for providers to use an open sign on technology - what about the fact that businesses consider their membership information to be valuable to them?
For example, MSN is now offering advertisers the ability for advertisers to target towards specific demographics. Those demographics are proprietary to MSN.
In addition, I can think of other uses of membership information...advertising rate cards, list rentals and even behavioral targeting.
Sirim wrote "What about Windows Cardspace and all the identity work from Kim Cameron? I have no idea how that got missed out from this writeup when talking about Microsoft and identity".
The great thing about CardSpace is that it is based on the WS * standard so it can be implemented cross platform. Different to passport there is no centralised identity third party that you need to trust to use the service. CardSpace works with the new High Assurance SSL certificates http://www.verisign.com/ssl/ssl-information-center/faq/high-assurance-ssl.html.
I have had a bit of experience working with CardSpace, infact I did a podcast on it here http://msdev.thepodcastnetwork.com/audio/tpn_msdev_20061110_009.mp3 If you are interested in the community site for CardSpace it is at http://cardspace.netfx3.com also Kim's work can be found at http://identityblog.com. The Windows Live ID and Passport team is developing a security token service (STS) that supports CardSpace for single sign on.
With the advent of Windows Vista and .NET 3.0, CardSpace makes secure certificates accessible to all consumers in an intuative and secure way. Support for CardSpace in other OS's and on mobile devices is on it's way.
@Ed you're right Google also has some sort of open Google accounts. I've totally forgot them, they could really make into this article.
I get the OpenID idea. It is good, if not great. But!
Let’s say you have an online application. You provide OpenID logging. How can you trust a 3rd party sees how frequent your users logged in, how many users your application has? I went through the privacy policy of MyOpenID, ClaimID or vIdentity - they dont cover any of these concernse.
I will eventually trust any of theses if they have put on their *first* page with *big* letters:
WE WILL NEVER EVER NEVER EVER GATHER ANY INFORMATION, REGARTHLESS HOW MANY, OR HOW FREQUENT YOUR APPLICATION USERS USED THEIR OPENID ACCOUNTS.
Great post as usual Richard -- I think the more support out of the box popular packages for OpenID, the more likely it'll become established. I'm certainly sick of registering again and again, even if it provides some resilience and is fairly quick. I see that there's a Wordpress plug-in for OpenID: I think this sort of thing should be included out of the box definitely:
http://blog.scatmania.org/archives/2005/08/06/openid-for-wordpress/
Even if some provider does run the risk of being in control
you still have the little guys that can use the same service
unlike some little known net identity service against MSN
they all use the same id through openid so even if ones widely used theres still alternatives using the same service so its all compatible in the end
So, OpenID is (very) basically a foreign cookie verification. Looks like I'm gonna build on top of this, however my web apps will allow for multiple open-ids per account. However:
"The current spec 1.1 will be deprecated in favor of the upcoming 2.0"
Deprecated? After a year or two in operation? I think newborn technologies should try to evolve without deprecation every other year...
Also, a nice OpendID feature would be to standardize to always have the "Enter your URL" box use the same HTML ID on each website - I think that's how browsers offer the auto-completion thingy - but I'm not sure.