Quite a while ago I read a paragraph about OpenID. My initial reaction was something like "no way". However, I was recently encouraged by a colleague to have another look.
I must say that my initial reaction ("no way") was shaped primarily from reading "What is OpenID?" on the official OpenID website, coupled with a significant amount of personal experience/interest learning about information security systems. So, when I see the terms "Single Sign On (SSO)" and "authentication" and "identity" used in describing OpenID, I immediately thought that this solution was being considered as a means of establishing a high degree of trust. Continuing with this perception, the fact that OpenID is based on a completely decentralized authentication architecture, just didn't add up.
While looking at OpenID this time, I actually went through and tried to establish the worthiness of OpenID as it is being used today. Which is not, from what I've gathered , a mechanism to establish trust. The idea of using the criteria discussed in Bruce Schneier's book "Beyond Fear" came to mind, but I didn't feel that the five questions he uses when evaluating a security solution where completely appropriate when applied to OpenID as it is being implemented today:
What are you protecting?
What are the risks associated with what you are protecting?
How well does the solution address the risks?
What risks are introduced by the solution?
What costs/trade-offs are associated with the solution?
To establish the worthiness of OpenID in my mind, I answered the following questions:
What problem does OpenID solve?
Establishing an identity on multiple Internet-based services and all the associated issues (control of personal information, inconvenience of providing credentials, potential loss of password discipline)
How well does this solution address the problem?
OpenID does address the issues associated with having identity-related information stored on multiple services.
What risks are introduced by OpenID?
The risk of phishing attacks increases with this model, but as when using MyOpenID as your credential provider you can set a personal icon, as well as a feature called SafeSignIn to reduce the risk of phishing to an acceptable level (for me). Another risk is trusting this decentralized credential provider with any information that you provide. For instance, MyOpenID "promises" to honor your privacy.
What are the costs associated with OpenID?
From the perspective of the OpenID end user, there is no money involved. The software to be an OpenID server or relying party is free of charge as well. However, although the software is free to the developer, from what I understand implementing or integrating an OpenID server or service is not trivial.
You'll notice that I've rephrased the criteria to establish the worthiness of OpenID as a general system rather than a security-focused system. This, as I mentioned before, is because I am evaluating how OpenID is being used today. OpenID does not seem to be used to protect assets of significant value and therefore trust is not a big concern. However, having said that, I do believe that this framework could be applied today within an organization to establish a lesser degree of trust than made available through more centralized and costly approaches (e.g. PKI, Federated Identity, domain-based schemes). Along these lines, this framework could potentially be used as another type of centralized scheme. These scenarios would go against the "open" in OpenID; if that meets your needs, fine.
As OpenID matures the framework is expected to support the establishment of varying degrees of trust based on the sorts of credential providers that become available. It will be interesting to see the level of trust people will accept in an online environment using a completely decentralized security mechanism, as well as the exploits. It will also be interesting to see which service providers are willing to give up collecting phone numbers, street addresses, and so on, of consumers.
OpenID solves a common problem with little cost or risk involved. As a service provider, if you would benefit from providing an SSO environment to your consumers, and the value of your online assets is inline with the level of trust (low) established with OpenID, then I would suggest that using OpenID is not such a crazy idea.
