Identity Theft: OpenID and What It Means for Web Security

Updated: April 30, 2009

User security on the Web is like the weather: it's a topic that generates plenty of talk but little meaningful action.

One organization that's doing something about Web security is OpenID Foundation . Created in June 2007, the group is striving to build support for OpenID, a technology that aims to strengthen and simplify Web security by freeing people from the need to juggle multiple IDs across different Web sites, ranging from social networks to online stores.

An open-source community initiative, OpenID supplies users with a single identification and password that they can use to log in to any Web site that supports the technology. OpenID is built around a decentralized framework that enables anyone to become an OpenID user or provider at no cost and without registration or approval. The only requirement is that the adopter stick to the standard's framework and tenets. Since OpenID utilizes existing Internet technology, users can transform an existing identity into an account that can be used at sites supporting OpenID logins.

The OpenID Foundation has attracted the attention and cooperation of some of the Internet's biggest guns. Google , IBM Corp ., Microsoft Corp ., VeriSign Inc . and Yahoo! Inc . all sit on the organization's board. The companies have also pledged to support OpenID on their respective Web sites.

Benefits

OpenID promises Web sites and users a variety of benefits, including:

Simple and Secure Web-Site Access: A single OpenID login relieves users of the need to recall multiple identification/password combinations for accessing various Web sites.

Better, Safer Password Management: With only a single identity to manage, users should able to exert better control over their passwords. By providing solely one password to remember, OpenID removes the biggest reason for creating a theft-prone written or digital password list .

Increased Flexibility: People and organizations can experiment with OpenID to meet their own needs, as long as they remain true to the standard. Anyone, for instance, can decide to create their own authentication method and deploy it within the standard's framework. Likewise, it's perfectly acceptable to create new identity services for deployment under the OpenID umbrella.

Improved Stability: While several Web-security strategies have appeared and vanished over the past several years, OpenID is designed to be durable. Since it's an open standard, it won't vanish if any one company suddenly changes its strategy or goes out of business.

Not So Fast

While OpenID has plenty of strong points, skeptics have pointed out several shortcomings that could delay, or even derail, widespread adoption. These challenges include:

Low Adoption Rate: Despite having some of the biggest Internet names in its corner, OpenID remains far from its goal of becoming a universal security tool. On its Web site, the OpenID Foundation acknowledges that "OpenID is still in the adoption phase." According to the organization's present statistics, more than 10,000 Web sites currently support OpenID logins. That's a good number of sites, including some very big ones. But most sites still don't accept OpenID logins.

Low Awareness Level: Many everyday Web users remain unaware of OpenID's existence. This situation should improve as the standard's giant supporters ramp up their PR efforts. But for now, OpenID remains a low-profile standard.

Loss of Control: OpenID places most security responsibilities in the hands of a third party. That's convenient. Yet if OpenID experiences some form of security catastrophe, Web-site operators will be left to pick up the pieces.

Increased Password Vulnerability: Without OpenID, damage from identity or password theft is usually limited and contained. With OpenID, losing one password is as good as losing them all.

Untried Technology: Since OpenID has yet to be used on a truly massive scale, it's unknown what new, currently unimagined threats will develop once hoards of phishers and other Internet evildoers begin targeting the standard and its users.

Privacy Peril: Will businesses begin sharing user-identity data, such as shopping and reading preferences, across their Web sites? This seems like a strong possibility. An OpenID user could circumvent this threat by adopting multiple identities, but this would sabotage the standard's one-identity-per-user goal, and also might lead to usability problems.

Outlook

OpenID has yet to achieve critical mass, and several important problems must be resolved before the standard can begin generating any mainstream traction. Still, given the backing OpenID is receiving from industry heavyweights, it's hard to imagine that it won't eventually become a force to be reckoned with.

Related Categories
Featured Research
  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more