Identity Theft: OpenID and What It Means for Web Security

User security on the Web is like the weather: it's a topic that generates plenty of talk but little meaningful action.

One organization that's doing something about Web security is OpenID Foundation . Created in June 2007, the group is striving to build support for OpenID, a technology that aims to strengthen and simplify Web security by freeing people from the need to juggle multiple IDs across different Web sites, ranging from social networks to online stores.

An open-source community initiative, OpenID supplies users with a single identification and password that they can use to log in to any Web site that supports the technology. OpenID is built around a decentralized framework that enables anyone to become an OpenID user or provider at no cost and without registration or approval. The only requirement is that the adopter stick to the standard's framework and tenets. Since OpenID utilizes existing Internet technology, users can transform an existing identity into an account that can be used at sites supporting OpenID logins.

The OpenID Foundation has attracted the attention and cooperation of some of the Internet's biggest guns. Google , IBM Corp ., Microsoft Corp ., VeriSign Inc . and Yahoo! Inc . all sit on the organization's board. The companies have also pledged to support OpenID on their respective Web sites.


OpenID promises Web sites and users a variety of benefits, including:

Simple and Secure Web-Site Access: A single OpenID login relieves users of the need to recall multiple identification/password combinations for accessing various Web sites.

Better, Safer Password Management: With only a single identity to manage, users should able to exert better control over their passwords. By providing solely one password to remember, OpenID removes the biggest reason for creating a theft-prone written or digital password list .

Increased Flexibility: People and organizations can experiment with OpenID to meet their own needs, as long as they remain true to the standard. Anyone, for instance, can decide to create their own authentication method and deploy it within the standard's framework. Likewise, it's perfectly acceptable to create new identity services for deployment under the OpenID umbrella.

Improved Stability: While several Web-security strategies have appeared and vanished over the past several years, OpenID is designed to be durable. Since it's an open standard, it won't vanish if any one company suddenly changes its strategy or goes out of business.

Not So Fast

While OpenID has plenty of strong points, skeptics have pointed out several shortcomings that could delay, or even derail, widespread adoption. These challenges include:

Low Adoption Rate: Despite having some of the biggest Internet names in its corner, OpenID remains far from its goal of becoming a universal security tool. On its Web site, the OpenID Foundation acknowledges that "OpenID is still in the adoption phase." According to the organization's present statistics, more than 10,000 Web sites currently support OpenID logins. That's a good number of sites, including some very big ones. But most sites still don't accept OpenID logins.

Low Awareness Level: Many everyday Web users remain unaware of OpenID's existence. This situation should improve as the standard's giant supporters ramp up their PR efforts. But for now, OpenID remains a low-profile standard.

Loss of Control: OpenID places most security responsibilities in the hands of a third party. That's convenient. Yet if OpenID experiences some form of security catastrophe, Web-site operators will be left to pick up the pieces.

Increased Password Vulnerability: Without OpenID, damage from identity or password theft is usually limited and contained. With OpenID, losing one password is as good as losing them all.

Untried Technology: Since OpenID has yet to be used on a truly massive scale, it's unknown what new, currently unimagined threats will develop once hoards of phishers and other Internet evildoers begin targeting the standard and its users.

Privacy Peril: Will businesses begin sharing user-identity data, such as shopping and reading preferences, across their Web sites? This seems like a strong possibility. An OpenID user could circumvent this threat by adopting multiple identities, but this would sabotage the standard's one-identity-per-user goal, and also might lead to usability problems.


OpenID has yet to achieve critical mass, and several important problems must be resolved before the standard can begin generating any mainstream traction. Still, given the backing OpenID is receiving from industry heavyweights, it's hard to imagine that it won't eventually become a force to be reckoned with.