Security: Risk and reward

OpenID: User-centric identity

Looking at the development of different technologies in the last two decades, I am amazed at the vast difference between how a technology was first envisioned and how it ended up being implemented.

You start with a tightly coupled, hierarchical, centralized design by committee. Invariably, an august organization is chosen to run it: a phone company, the postal service, the government, a big vendor. Examples of this type of design are: X.25, X.500, X.400, PKI and Microsoft Passport (Windows Live ID). The design languishes for years while politics and control issues prevent its implementation. Then some organization, committee or coder takes the original design, strips it down and implements it as a more loosely coupled, decentralized, ad-hoc version. See IP, SMTP, DNS, Lightweight Directory Access Protocol, the Web and OpenID.

It's almost like we can't believe that anything ad-hoc and decentralized could possibly work. If no one is in control, it's anarchy. It is -- but modern technology abounds with examples of "healthy anarchy" such as Wi-Fi or the Web. There's a lot of junk and risk, but the flexibility of ad-hoc more than compensates for the anarchy.

OpenID is a great example of a technology borne out of the failure of centralized schemes. Simply put, OpenID is a decentralized user-centric identity framework. It replaces dozens of username/password pairs with a single Universal Resource Identifier (URI). Let's say I wanted to have a unique ID that was under my control. I create an ID on an OpenID compliant identity server and add a link to it on my personal Web site, Web page, blog and so on. Thereafter, I use my Web address (say as my logon identifier on various sites. Instead of registering a separate ID on each site, I hand them my URI and the Web server I am visiting hands off the authentication to my chosen identity vendor.

How secure is OpenID? The framework is a better approach than trying to keep track of dozens of scattered IDs. As for the security of each OpenID, that depends on the identity server. You can pick and choose depending on the level of security, anonymity or convenience you need. I might have multiple OpenID handles for blogging, banking or shopping - some anonymous, some pseudonymous, some notarized, some requiring two-factor authentication with biometrics. Or, I also can use a service that auto-generates bogus throw-away IDs on-demand.

OpenID offers a Web-based interoperable, distributed and loosely coupled alternative to centralized vendor offerings such as Windows Live ID, AOL, Google or Yahoo accounts. In fact, you could base your OpenID on a Windows Live ID (Microsoft announced plans to support) or AIM ID (beta service running). More sites are supporting OpenID and there are many free (royalty free and open source) libraries implementing it. If the past is any indication, open, interoperable and ad-hoc usually beats proprietary centralized and closed.

Antonopoulos is a senior vice president and founding partner at Nermertes Research, a leading independent technology research firm. Reach him at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AOLGoogleMicrosoftTechnology ResearchYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andreas M. Antonopoulos

Latest Videos

More videos

Blog Posts