Here’s the one thing I hate about using the web – all the passwords I have to remember to access various internet services. From Facebook, Gmail and Flickr to Amazon, ASB online and my Inland Revenue account, I need to enter a password and user name to log on. I have a different one for each and they are just a handful of the websites I visit. That’s a long list of passwords and I change them regularly which complicates things further.[From Managing your online identity – 20 Jan 2008 – NZ Herald: Technology News and reviews from New Zealand and the World]
A while back, OpenID was created to provide a simple, distributed solution to this simple, distributed problem. For a while, OpenID lurked in the shadows, of interest only to identity nutters like me. But then it began to gain a little traction
Lately, though, there’s been a spate of OpenID news, highlighted by the announcements that both Yahoo! and Blogger are joining the list of OpenID providers. This means that you can use your Yahoo! or Blogger credentials to log on to sites that take OpenID (though neither one accepts OpenID logins in return; Blogger lets you use an OpenID login to leave comments and Yahoo! says they’re working on it).[From Web Worker Daily » Archive OpenID: Is it Time to Care Yet? «]
Being the nerd that I am, I immediately went my Yahoo! account when I read this and, sure enough, there was a link to create an OpenID, so I did. I haven’t used it yet, because I’ve now got too many OpenIDs and can’t remember the passwords to all of them and none of them are two factor, but it’s progress I suppose. You can’t argue that momentum isn’t growing…
The OpenID Foundation today announced that Google, IBM, Microsoft, VeriSign and Yahoo! have joined as its first corporate board members.[From Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web]
I imagine that I will soon consolidate down to three or four OpenIDs, much as I have three of four payment cards. My work OpenID, my home OpenID, my games and nonsense OpenID. But I really would like a “serious” two-factor OpenID that I can use to log on to important things, like my bank account and so on.
I’m very interested in seeing how OpenID continues to evolve especially given all of this impetus. Now that the OpenID 2.0 specification has been finalised I assume that there will be yet more deployment. I can’t say I really understand all of the details of the new OpenID specification, but it adds some useful privacy-friendly capabilities and implements attribute exchange. Attribute exchange was one of the areas where OpenID 1.0 was deficient. Simple authentication, as provided by 1.0, is limited because most applications want to exchange user attributes so that users can avoid re-entering them at site after site. Using attribute exchange, your OpenID 2.0 provider, knowing your name and address, could send them to e-commerce sites (a sort of rudimentary federation) from site you’ve just authenticated to, for example. Another 2.0 innovation, if I understand it properly, is around naming because there was no naming standard in OpenID 1.0. Consenquently there was an opportunity for extension name collisions. OpenID 2.0 fixes that by piggy-backing on the DNS system, in the same way XML namespaces do, to allow users to create names that are guaranteed to be unique.
All of this means that I should be able to log in to things using the same ID whether on the Internet or mobile, home or away. And before any security types have a go at me, yes, I well understand the limitations of OpenID, but it’s simple, easy and convenient. The more that I use it, the more that I want to use it, and I want to use it with 2FA. Surely there must be some mobile operator out there who is looking for an inexpensive anti-churn mechanism to hold on to heavy users like me? Then wouldn’t a 2FA (using the phone) OpenID be a good choice?
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]