I recently learned about OpenID, a new distributed single-sign-on technology, and I am very excited about it.
What problems does OpenID solve? At the moment I have accounts on several different web sites – my bank, my stock broker, online merchants, blogs, forums and many others. Each one has a username and password that I have to keep track of. Of course, like most people, I don’t have a different password for every site, instead I have a small number of passwords that I use at many different sites.
Single-sign-on gives you a way to combine these different accounts so that you can sign on to many different web sites with a single username and password. Once you log in to one of them, you are effectively logged in to all.
Up to this point, the only single-sign-on system that has widespread adoption is Microsoft’s Passport system. However, Passport is a centralized authentication system, which means that one single entity (Microsoft) now has the keys to everyone’s private information.
OpenID is a distributed authentication system, which means that there are many small providers – you can choose which company you want to be your OpenID provider. If you are an AOL or LiveJournal user, you already have an OpenID identity.
Here’s how it works: Suppose you want to create an account at some site – let’s say ma.gnolia, a popular social bookmarking site (much like del.icio.us). Normally you’d be asked to enter a username and password. But ma.gnolia also allows you to enter an OpenID identity instead. An OpenID identity is just a URL. Mine is http://talin.myopenid.com.
Now, when you sign on to ma.gnolia, instead of asking you for your username and password, it redirects you to your OpenID provider (which might be LiveJournal or AOL or in my case myOpenID.) You log in to that site just as you normally would. It then redirects you back to ma.gnolia, with a special bit of data that says “yes, this user is who he/she claims to be”. The ma.gnolia site never sees your user name or password, all they see is that the proof that you are who you say you are. You can even set it up so that you only have to log on once – the next time you come to ma.gnolia, you’ll just automatically log in, as long as you are already logged in to your provider.
So it’s pretty simple. You can have more than one OpenID if you need to have multiple identities. If you decide you don’t like your OpenID provider, there’s a way to forward OpenID requests to a new provider that you like better.
What’s exciting about this, however, it that is makes lots of stuff possible that wasn’t before. A quote that I heard recently and which very much sums up my feelings: “People keep asking me to join the LinkedIn network, but I’m already part of a social network – it’s called the Internet.”
Once we have a secure way to identify people online, and to maintain a persistent identity that travels with us, we can do all kinds of interesting friendster-like things on the web instead of having to be locked in to a single service like myspace or tribes or whatever. I’m also interested in distributed reputation systems – so I can list all of the people I trust, and anyone who trusts me can trust them in turn.