Word on the street is that MySpace is soon going to be an OpenID issuer for all its user accounts, in much the same way that Yahoo enabled its accounts several months ago. With the MySpace news and several intervening conversations I've had since the Yahoo announcement, I'm becoming more and more concerned that the great idea that is OpenID is at risk.
Don't get me wrong -- I think it's terrific that MySpace and Yahoo and others are on board. You have to start somewhere, and MySpace has indicated it may become a relying party in the future, so it's not all bad. And adoption by industry's big players is critical to OpenID's future success and realization of all that OpenID can provide.
Perhaps it's a bit of a Catch-22 though: In order to get a standard off the ground, you have to get the buy-in of some heavy hitters, and when they do, you have to hope the standard meets their needs, or is flexible enough without disrupting how the standard's already adopted by everyone else out there.
MySpace says it plans to join the OpenID crowd as a provider only. In other words, like Yahoo, it won't trust other OpenID providers when it comes time for you to access their site. While I understand the business reasons for this, the concept and dream of an Internet-based single sign-on in a secure, trusted environment only works if the "trust" side of the equation works and gets adopted.
By the way, if you’re new to OpenID, here's a quick visual primer that I recommend. It's helpful in understanding the difference between a provider and a relying party, among other things.
The concept behind OpenID is one username and password for every Web site accessed. When big companies create identity silos, single sign-on gets squashed.
I've questioned before whether trust for business use is really viable to expect from OpenID. For large Internet companies and classic businesses such as banks, identity is everything, and any identity system must be substantially proven, sound, and well secured. For businesses that require strong authentication such as banks, many have concluded that OpenID on its own probably doesn't fit the bill. It would require some form of stronger authentication on the back end to provide the level of security required for that kind of trust.
It's also important to point out that authentication and identification are two different things. I can assert my identity to you by passing along some information, but you can also choose whether to trust what I assert, and whether to verify the information. Ask yourself this: If you receive some information about me as part of a login process, how do you know it's actually me that's sending it, and not a criminal pretending to be me, trying to access my account? That's where authentication comes in. I have to prove somehow that it is, in fact, me. This is typically done via a process based on detailed information (called "shared secrets") that only you and I know or with other factors, such as security tokens.
Which brings me to what I think is an important question: What is the one company or organization that everyone would likely trust to authenticate OpenID users?
To help answer this question, I asked around. In huge numbers, people answered much the same way I would: "Visa," they told me. Some also suggested American Express or Mastercard. A couple larger banks were mentioned, too. A few said "the government" but changed their minds later. Still, the tilting toward financial services companies was unmistakable.
Why? These companies already have large, proven, secure identity systems that work and brands that consumers trust, plus active anti-fraud measures aimed at stopping bad activity. Credit cards are accepted everywhere because merchants trust Visa to handle their payment transactions, based on experience. MySpace trusts Visa for financial transactions, and so does Yahoo. Visa already has the ability to authenticate me. Why should Visa be interested? Simple: for the Visa name to be associated with every login or online transaction is great for its brand identity and prominence.
OpenID can be the single-sign on infrastructure that allows end-user management of personal information, while being backed up by a few key, trusted identity providers. That would ensure our OpenIDs have the strength and backing that would allow merchants and other Internet sites to trust their authenticity.
I don't pretend to believe that there is "one right way" to create trust among users, e-businesses, and Website operators. There are some great companies out there commercializing OpenID and helping people implement it, so there's more than one way to solve this problem. Is Visa the best third-party to make this happen? Should we wait for a series of bilateral trust agreements among AOL, Google, Microsoft, MySpace, Yahoo, and others? Write us here or post your suggestion on the message board below.
— Greg Hughes, independent IT security consultant and blogger
This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts, or maybe a taser gun – just the thing to keep that DDoS and XSS malware at bay.