OpenID: Pro’s and Con’s

Written by Bonnie Boglioli...January 17, 2011

Just five years ago, the Internet was ripe to expose a perfect concoction of interactive design coupled with applications catering to the user experience. More people were discovering information, participating in discussions, sharing content and purchasing.  Yet just as we welcomed in the age of Web 2.0, there was something missing for the average user: a means of accessing the growing numbers of sites easily and securely.

Enter OpenID. With the focused acumen of notable veteran developers, the decentralized protocol used to facilitate identity authentication was born. OpenID was rapidly embraced by the industry and users alike who bestowed the adjectives of lightweight, intuitive and secure on it. Today, OpenID boasts an astonishing 1 billion enabled user accounts with over 50,000 websites offering its universal authentication protocol.

Amidst its broad adoption and many positive attributes lurk a few drawbacks for some prospective adopters which must be evaluated when determining whether or not OpenID is the optimal authentication standard for the job.

The Basics- SSO, Authentication & OpenID:

Before we start to explore the world of OpenID, it’s important to understand the fundamentals of authentication and SSO. Authentication is the process of building digital trust by which an identity is determined to be who they claim to be. This can be achieved via traditional means such as usernames, passwords and security questions or in more advanced ways with smartcards and biometrics. Single sign-on (SSO) is a method of accessing multiple software systems (with permissions) using a single login account and password.

SSO and authentication are powerful tools in today’s Internet age and ones that most of us have come to take for granted, though their genesis corresponds to that of OpenID itself. Abolishing the once prerequisite authentication registration process via SSO provides a more user-friendly method that ultimately encourages increased website adoption rates and the plethora of proven analytics that follow (conversion rates, CTRs, etc).

Decentralized Standard:

As its name suggests, OpenID is an open authentication standard that is not controlled by any single entity or server and relies instead on a volunteer community of developers to maintain, test and add features to the protocol. Users choose an OpenID provider (OP) as the service manager of their online identity (an equivalent of the ‘keeper of the castle keys’) and a unique OpenID URL which serves as the identifier of the end-user.

Because it is an open standard, anyone may obtain a free OpenID account- one integral reason why the protocol has garnered high adoption rates. Third party sites that integrate OpenID (third party relying websites and OPs alike) may use the protocol with no strings attached.

Unlike some competing SSOs, the protocol’s ‘openness’ does not mandate specific authentication, favoring instead a broad spectrum of digital identity consolidation for better and for worse depending upon one’s viewpoint. This creates unique OpenID providers that appeal to specific end-users, as well as end-users with the ability to tailor what information is shared. Identifying a target market or audience is crucial in determining which OP to utilize for both end-users and relying websites.

User-centric  SSO:

OpenID has been dubbed ‘user centric’ with its emphasis on putting people in charge of their information, accordingly. It offers flexible control over how much information end-users share with relying websites and the OP they choose to manage that information.  While achievable, it is not necessary for end-users to consolidate all of their login information to a single OpenID URL account creating more diversity and options for users.

Security:

Though they remain the most prolific means of authenticating users, passwords are the least secure for a variety of reasons (phishing, malware, keyboard loggers, decryption services and cyber attacks to name a few). Security threats are often easier to address and combat with a single protocol such as OpenID, whereas traditional authentication methods are at the mercy of individual people and websites which may or may not be capable of reducing security risks. Furthermore, large OpenID OPs such as Google and Yahoo place paramount emphasis on security which equates to peace of mind for many end-users and relying websites. 

Security can never be guaranteed unequivocally, of course. Theoretically, if one’s information is compromised on OpenID a thief can potentially gain access to multiple accounts. Proponents of OpenID emphasize that risks can be at least as high for users not utilizing SSO as they are often culpable in using a single, unprotected username or password across many sites. By contrast, OpenID provides a sophisticated form of authentication that is anything but easy for potential thieves to crack.

Cyber security has grabbed the headlines in recent years thanks to increased Internet and broadband usage and a keen awareness of the national and international security threats posed from cyber thieves. In January of 2011, the U.S. Commerce Department’s National Strategy for Trusted Identities in Cyberspace released their proposed guidelines to reduce and/or eliminate the need for multiple user accounts, noting the importance of sophisticated means of authentication and the increased risks associated with password-only protection. The OpenID Foundation works alongside the world’s nations to ensure a transparent, evolving mean of authentication to further deter would-be thieves.

What it is and isn’t, for better and for worse:

Let’s talk about trust for a moment. One of the great benefits of OpenID is that it is a trusted, relatively secure protocol that users recognize. While not ubiquitous, it can implicitly serve to make many third party relying sites more credible in the eyes of users. What’s more, many users already have OpenID accounts.

Relying websites utilizing the OpenID protocol do not require their own ad hoc system of authentication making OpenID an invaluable resource. With OpenID, it is not necessary for companies to develop their own brand of complex registration systems, cutting the costs and maintenance associated with the secure storage and management of user login information, support and more.

Unlike its open authorization counterpart oAuth, OpenID only authenticates identity. In general, it lacks the refined and detailed means of authorizing specific information. By contrast, oAuth allows for the sharing of information between relying party websites. Using the OpenID protocol, relying websites do not trade information about an end-user with one another. For many who are concerned with privacy, this is considered to be a positive trait. For some websites, however, the lack of information exchange via the OpenID protocol can be considered a downside.

While not equivalent to authorization protocols, OpenID can potentially offer access to end-users’ publicly viewable information (depending upon the end-users settings and allowances) which offer a wealth of material to marketing staff interested in demographics.

The downside to third party authentication? There are benefits to controlling and managing users in the traditional login process particularly for community-oriented, dialog-based websites. Websites take note: there is no easy way to absolve relationships in the event the relying party wishes to sever ties with the identity provider (OP). In the event this occurs (such as when a user closes their Gmail account), end-users who sign on to a relying party vis a vis an OpenID identifier would necessarily be required to re-register with the relying website. Ensuring a means to login to a website via traditional means enables relying parties to cover their bases on this front.

The bottom line:

OpenID can be a tremendous asset for many websites offering simple, secure authentication for users while effectively cutting costs and headaches. The value-added connections of third party authentication works to increase a website’s key performance indicators, drive adoption rates and more.

While OpenID is quite familiar and a clear leader in the field, it is still far from ubiquitous. There are benefits to using a traditional, straight-forward means of logging in to a website if only alongside a protocol like OpenID. Bottom line? Ensure every user has a simple means of registering and accessing a website alongside the OpenID protocol. 

Social login powered by Gigya