One single password for the whole internet? It’s a dream many have.
But reality looks quite different. Usually, every new registration requires a new login and password. Before long, half the time one spends online is used up remembering passwords.
But now, systems like OpenID, Google Friend Connect and Facebook Connect have been created to provide a little help and do away with the never-ending registrations. To do so, they’ve presented themselves as kinds of skeleton keys for the web. But there is good and bad to these systems.
ADVERTISEMENT
All the systems are based on the same idea: making sure users no longer have to register a new account for each online service.
Instead, these connection services operate on a single sign-on principle, with only one logon needed.
“The idea is to bring your own identity along with you,” says Axel Nennker, member of the directorate of the OpenID Foundation, whose day job is with Deutsche Telekom.
ADVERTISEMENT
It’s not just a memory aid, it also boosts security. If a person only needs to remember one password, it can be made more complicated, thus enhancing security.
Amongst the various single sign-on initiatives, OpenID has long been considered the industry standard. Giants like Google, Yahoo, Microsoft and Paypal use the protocol, which was developed in 2005, as do a series of smaller companies. The true number of users is unknown, but likely very large.
The system is designed to be decentralized. Users can set up their OpenID account with a number of sites, whether Google, Yahoo or specialist sites like MyOpenID. Indeed, anyone interested can register on any website that supports the standard. According to numbers released by the OpenID Foundation in 2009, that includes 9 million sites worldwide.
Small users overwhelmingly allow access via OpenID, while most larger entities limit themselves to distributing IDs.
Members have to look for the OpenID logo, a gray half-circle with a pointer at one end. When registering, they are asked to enter their OpenID URL. Here, it’s best to enter the web address of the entity where the OpenID account was created: yahoo.com, for example.
This opens a window, where access data is entered, as usual -- in this case, that for the Yahoo account. The server generates an internet address, or URL and sends it to the destination website, where registration then occurs automatically.
Some websites ask for some basic data, like name and mailing address. Some forums allow anonymous registration.
“Providers like Google only confirm that ‘An OpenID user is registering now,’” says Nennker.
Having one identity for multiple websites may sound great, but the system still hasn’t made the breakthrough to mainstream use. One problem is that the service remains relatively unknown.
“A lot of users don’t even know that they have an OpenID,” says Nennker. Google, Yahoo and the others only passively direct users -- if they do so at all -- to the option. If you don’t look for it, you won’t find it.
The OpenID Foundation hopes to overhaul the standard. OpenID Connect should be easier to integrate for developers and also provide some improvements for users -- such a logins with basic email addresses. There are also plans to expand the service to other technical platforms, like mobile phone apps.
But the competition is picking up, especially since Facebook Connect is coming online.
“Everyone knows what Facebook is. And it’s a lot easier to understand that Facebook can manage your identity than it is to believe the same of an unknown entity named OpenID,” noted US magazine Wired recently.
Superficially, Facebook Connect and OpenID resemble one another.
Clicking on either’s icon opens a new window where data is to be entered.
But the US company goes further. Unlike OpenID, as soon as they register -- in a discussion forum for example -- users can see who else from their social network is already there. Additionally, comments about activities elsewhere can be posted on one’s Facebook page for friends to see.
That’s one reason why a lot of groups are leaning toward Facebook Connect: “They get a piece of the user pie.” Regardless of Facebook Connect or OpenID, data privacy experts advise using caution.
“Services like Facebook Connect that offer a single sign-on solution can help users save time. But a successful attack on a user account makes the potential of these attacks that much more dangerous and allows the misuse of all data that the user has saved with various services,” says Johannes Caspar, data security commissioner for the German city-state of Hamburg. Just looking at some of that access data could open the door for identity theft.