Authentication: OpenID

Zhezhu Wen 2008-12-04

A Traditional Authentication Scheme

But
Problem with traditional authentication
Each server requires unique credentials To end-user side, it means, each web site (apps) requires one credential.
The more website you are registering, the more credential information you need to memorize.

To developers, it is a burden for developing authentication schemes for each one of them.
3

Introduction of OpenID
OpenID is a service, framework, and protocol that is revolutionizing the realm of user authentication and identity services. Started in 2004 by Brad Fitzpatrick. It offers a distributed, reliable, and open way for web sites to authenticate their users and saves web developers from the need to write yet another piece of authentication code.

OpenID Awarness

According to: Independent study on OpenID awareness using Mechanical Turk, 2008
5

Terminologies for OpenID

End-user
The person who wants to assert his or her identity to a site.

Identifier
The URL or XRI chosen by the end-user as their OpenID identifier.

OpenID provider (OP)

A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services).
6

Terminologies for OpenID (contd.)

Relying party
The site that wants to verify the end-user's identifier. Sometimes also called a "service provider".

Server or server-agent
The server that verifies the end-user's identifier. This may be the end-user's own server (such as their blog), or a server operated by an identity provider.

User-agent
The program (such as a browser) that the end-user is using to access an identity provider or a relying party.

The OpenID Authentication Scheme

The OpenID Authentication Flow

Practice
Login to MIT tech review website. With OpenID Provider http://www.myopenid.com

10

Advantage of OpenID
For Business,
Lower cost of password and account management. Make users easier to come and join the online service.

For Users,
Open, decentralized, free, user-centric authentication mechanism.

For Developers,
Reutilization of existing technology (URL, HTTP, SSL etc.)
11

Current & Future

OpenID Foundation was formed to assist the models needed infrastructure and general helping. (corporate members and community members) As of November 2008, there are over 500 million OpenIDs on the Internet. Approximately 27,000 sites have integrated OpenID consumer support.
12

Criticism, Alternatives
Vulnerable to phishing attacks. For example zombie OP. Uncomfortable truth it is open source and free. Alternative recommendations for the specification. Aggressive Facebook Connect from the other side.
13

REFERENCES
Protocol specification Ver 2.0, http://www.openid.net Independent study on OpenID awareness using Mechanical Turk, 2008 OpenID and Rails: Authentication 2.0, 2008 Google offers limited support for OpenID , 2008

Click the name of articles for originals.

14