We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.[From Digital Domain – Goodbye, Passwords. You Aren’t a Good Defense. – NYTimes.com]
OpenID is simple (to technical persons such as myself), which is one of the main reasons why it is spreading, but that simplicity also means that it doesn’t solve all of the problems.
OpenID provides Single Sign On to social networking sites and blogs. It means we can use a public personna across sites, and just log in once to use that persona. But OpenID doesn’t have the privacy characteristics that would make it suitable for government applications or casual web surfing. And it doesn’t have the security characteristics necessary for financial transactions or access to private data.[From IdentityBlog – Digital Identity, Privacy, and the Internet’s Missing Identity Layer]
True. However, there are people working to combine OpenID with other technologies in fruitful ways.
Google also announced that it is looking to combine the OAuth and OpenID protocol so that a service can not only request a user’s identity through OpenID, but also “request access to information available via OAuth-enabled APIs such as Google Data APIs as well as standard data formats such as Portable Contacts and OpenSocial REST APIs.”[From Google Adopts, Forks OpenID 1.0 – ZePy]
All of these pointers suggest to me that business strategies should be featuring OpenID as a near-future practical component rather than as a distant solution to a poorly-understood problem.
So how could OpenID evolve into something that solves an identity problem for a business that has one, such as banking. Well, as previously discussed, OpenID needs strong authentication to be useful for business. In another interesting direction (one of my favourite memes, 2FA OpenID), some time ago the national smart identity card in Finland was made internet-useful by integration with OpenID. This seems to me to illustrate one likely path through the authentication, identification and federation roadmap.
TrustBearer Labs will be providing support for the Finnish National Electronic Identification Card (FINEID) with its OpenID service.[From SecureIDNews | TrustBearer OpenID to support Finland National ID card]
In the banking sector, where I have been looking again at authentication strategies for our customers, the usefulness of OpenID has been spotted and the potential for business deployment with appropriate 2FA is there.
One potential issue I see with this is there will still need to be a verificaiton step involved to verify that the OpenID was really issued by a bank[From More on OpenID | The Life and Times of a Credit Union Employee]
Well, yes. Passing around credentials adds complexity. Federation is hard, as OpenID is discovering as it attempts to deliver the functionality required for real businesses. But federation is also a well-understood problem that a lot of people have been working on.
we need corporate identities that can extend beyond the boundaries of the the organisation in a safe and controlled manner. This was the intention with SAML, but adoption has been slow – I suspect by the complexity of its WS-Deathstar burden – and now OpenID streets ahead in terms of acceptance (in an interesting parallel to the adoption of Web Service-based SOA and REST).[From Tardate 11.1: OpenID – the missing spice in Enterprise 2.0?]
All of these snippets seem to suggest that OpenID, almost as a kind of trojan horse for 2FA and federation, is a promising technology. There’s no point arguing that it isn’t perfect — I know it isn’t — but with a few small steps it can be made to deliver an identity environment that is fantastically better than we have now.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]