OpenID is a geek’s paradise, providing an identity credential that Web users can ferry to different blogs, gaming and social-networking sites. So far, the open-source, three-year-old ID framework is supplying 30 million users with a trusted, digital identity at about 10,000 Web sites. The portable Web identity takes the hassle out of handling hundreds of different username and password profiles, and gives users more control over where they provide personal information. For IT managers, benefits include the reduction of profile databases that can be delivered on demand from a visitor’s OpenID provider.
But the day this lightweight, decentralized identity framework connects through banks into transactional accounts, say experts, is when hell freezes over. Bankers would be loathe to accept credentials provided by the come-one, come-all ecosystem of OpenID providers. However, financial institutions might see it as a way to tackle proprietary roadblocks that have long stymied identity-federation movements.
“You’re starting to see movement toward some sort of convergence, to where OpenID becomes this underlying protocol,” says Gary Krall, a development manager at VeriSign, one of a handful of new mainstream corporate providers of OpenID. A key supporter is Microsoft, whose executives learned with its Passport fiasco that an open-policy framework works best. Hence, Microsoft’s new CardSpace identity metasystem was built with more open standards. On his popular “IdentityBlog” site, Microsoft ID expert Kim Cameron says OpenID “is an important addition to the spectrum of technologies we call the Identity Metasystem, since it facilitates integration of the ‘long tail’ of Web sites into an emerging identity framework.”
OpenID tags each user with a unique URL identifier, now a credential at other OpenID-enabled sites—and passed on when it’s typed in the originating-party link in the OpenID log-in box. The credential is forwarded under OpenID’s new directed-identity protocol in the latest spec release.
Critics point to OpenID’s privacy and security shortcomings. Most obvious is as a single point of failure, in which a phisher gaining access to one OpenID site has the key to every credential-enabled site. Though the initial danger is limited to unauthorized blog ramblings, the underlying DNS-enabled structure of “redirection protocols” like OpenID carries too much visibility about user activities, Cameron says on his blog.
But OpenID is achieving something other digital-signature containers haven’t: widespread use. In February, OpenID earned a booster shot of corporate credibility when Google, Microsoft, Yahoo!, IBM and VeriSign joined its board. Google and Yahoo! also adopted the OpenID system, creating huge ports of entry for originating OpenID credentials; Google agreed to be a relying party of OpenID identities forged from other providers.
Banks and financial-services companies are looking to migrate credentials to other trusted parties, with a bare minimum of provisioning so that little user data is shared. “They’re looking more at Web-services security,” says Daniel Raskin, Sun Microsystems’ product-line manager for access management and federation. “They want those federated relationships, but they don’t want those identities shared at all.”
Once OpenID becomes a mainstream ID container for millions, Krall sees banks becoming OpenID providers—with the ability to create and sheriff the credentials their customers use externally. Why shouldn’t banks, natural conduits of the most secure credentials, take advantage of that portal/branding opportunity? Given banks’ ability to brand, the probability of ID credentialing at their own Web sites “is quite high,” he says.
