Defeating the Password Anti-Pattern with OpenID

Most websites provide registered users with access to some type of secure “members only” content, but they ask users to create a new username and password (and remember it each time they return).  Unfortunately, we users can’t remember any more passwords.  We can barely remember the usernames and passwords for the accounts we have already!

Being overwhelmed is only part of the problem.  A larger threat is that users may contribute to their own identity theft.  Users often reuse the same username and password at multiple sites as a coping mechanism to simplify the accounts they have to remember.  Websites that require an email address as a username exacerbate the problem because users (very often) use the same password for the website login that they use to manage their email account access.  

These behaviors all feed something that security experts call the “password anti-pattern” – sharing the username and password from one site with another site.  If one site gets hacked, bad guys may have access to other unrelated information.

OpenID provides an effective solution to the online account / identity problem by allowing consumers to use a single account identity to access secure content on multiple websites.  Websites that support SSO with OpenID are called “relying parties”, and these sites rely on an issuing provider for identity management and authentication.  Account credentials are not shared between sites, so the password anti-pattern is defeated.

Here’s how it works:  When a user wishes to access secure content, the relying party website redirects the user to the issuing provider to login, the issuing provider authenticates the user, and then the issuing provider redirects the user back to the relying party after authentication is complete.  An alternate user experience delivers similar capabilities using a browser pop-up rather than redirecting across sites.  

If interested, you can read the OpenID 2.0 technology specification here:  http://openid.net/specs/openid-authentication-2_0.html#anchor2.  (Pour yourself a stiff cup of coffee before reading.)

Consumer Single Sign-on using OpenID

Early this year, I began work with a large Dallas-area client to launch a consumer-facing website that will issue user accounts and deliver single sign-on among and between websites hosted by the company and its partners.  The site will enable users to navigate freely across a wide range of web channels:  e-commerce, social networking, affinity programs, content delivery sites, and others.

As part of that initiative, our team recommended OpenID 2.0 (http://openid.net/) as the technology solution for consumer SSO:

• OpenID is an authentication protocol that makes it easy for people to sign up and access web accounts
• OpenID enables single sign-on between web sites using a centrally-maintained username and password
• The protocol provides a way for sites to verify the identity of an end user without requesting a password for each site

The typical OpenID implementation involves integrating a given website (the “relying party”) with a separate third-party website (the “issuing provider”) that will issue accounts and manage authentication centrally – the relying party site will rely on the issuing provider for authentication. 

OpenID adoption has grown rapidly, and the US Government is piloting a program to manage citizen access to government resources using OpenID:  http://openid.net/2010/03/03/open-identity-exchange-commences-open-government-pilot-national-institutes-of-health/ 

Our project is unique because our client is launching a new issuing provider website and integrating its other web properties with the new issuing provider (as relying parties) for authentication and single sign-on.  Few companies choose (or need) to become issuing providers, but the unique shape of this client’s industry offer it a great opportunity.  Our team is excited to be helping them deliver – and I am excited to be learning about the emerging technologies in the Identity 2.0 space.

Stay tuned for more…