Late last week, it was found that Twitter had implemented some new security methods. Twitter had been talking about OAuth support for some time, so this was not an unexpected development. However, with many blog posts, sometimes the conversation around it gets interesting. On FriendFeed, there was a comment from Frode Stenstrom that triggered some thought:
The race is on as to who will become de-facto identity service standard. The one company that holds the most identities will have a lot of power. The good thing is the competition between many players. Anyone remember the old Microsoft Passport everyone hated? This is all about trust, and competititve services will have to improve security so that more people will choose their service…
Obviously, having a defacto standard as supplied by one provider would be a bad thing. Generally speaking, all single points of failure are a bad thing. If this one provider had a problem, then how would we authenticate to our services. Granted, I am not an expert on OpenID and we have Chris Messina for that. However, the basic idea of OpenID is to be open:
OpenID is an open, decentralized, free framework for user-centric digital identity.
OpenID is decentralized so that many of your existing internet accounts may already be capable of being used as an OpenID. However, what if that provider goes down for a day, or worse for a week or longer? There needs to be some level of interoperability to this as well. What I mean is that if I use WordPress.com as my OpenID provider for most sites, what happens if their OpenID service is down? Can I login using a Technorati account? Right now I get the idea that it is not possible. I will be able to login using Technorati as my OpenID provider, but it will be seen as a different user.
This is where the idea of a federated identity becomes important. I am not sure if “federated identity” is the right term, so feel free to bash my terminology in the comments. The idea is that there needs to be some distributed concept of what an identity is. As I stated earlier, I have accounts with WordPress and Technorati. So, how do we know that these are the same person? How can we reliably link these together, as well as the several other accounts that I have?
Most people may answer that OpenSocial and other social graph technologies (like FOAF and XFN) may be the answer, but they are currently separate from identity services like OpenID. OAuth is closer to being a bridge between these technologies, but it is more of a permission-based model compared to the identification model that OpenID provides. I think OpenID and OAuth should really be merged into one standard since we really need both. Taking baby steps with security and identity services will make them more difficult to adopt. Creating one solution with many implementations will benefit everyone.
So, consider this a plea to the folks working on OpenID, OAuth, OpenSocial, FOAF, XFN and anything else security related, to get in a room and figure out what is the best thing to do for the users. I know everyone wants to own the identity, but that is probably bad for the user.
9 thoughts on “Can OpenID and OAuth Lead Us To Manageable Security?”
Currently, users have basically two options when their preferred provider goes down, becomes evil,…
The first one is rather simple: relying parties (=sites accepting OpenID) allow users to associate more than one OpenIDs to their accounts. Some already do that.
The second option is called delegation. If users use e.g. their blog URL as an OpenID, they can add some simple HTML code to the head section of their blog. That code tells the relying party where the OpenID provider is located. So for example if regulatgeek.com is your OpenID and you use delegation it doesn’t matter if your real provider is myOpenID.com, Yahoo!, ClaimID, WordPress.com,… You can simply change the HTML code but your OpenID will always remain regulargeek.com. See also a post by me about that topic: http://spreadopenid.org/2009/02/25/delegation-made-easy/
OpenID and OAuth are being merged already. A draft already exists. Also Google has a demo up: http://googlecodesamples.com/hybrid/
I rarely expect any sites to allow more than one identity for an account. I am sure there are some, but most of the time it seems to be a one-to-one relationship. It is an interesting idea though.
I like the delegation idea, but I think that will be beyond most people. I am thinking about the non-tech masses that use some of these sites. Most of them would have no idea how to do the delegation, even with instructions. I had not heard about the hybrid model for OpenID and OAuth. I will have to take a look.
Carsten’s delegation suggestion is spot-on. I agree that it’s beyond the average user to switch delegates at will when an OpenID provider happens to go down, but it doesn’t *have* to be so difficult. It’s just a few lines of HTML that could be handled by a wrapper or applet or something.
The hard part there is finding a place to store your delegating OpenID. If you’re using delegation as a failsafe mechanism you’d want the displayed OpenID to be somewhere even more reliable than the places you’re delegating to. Once you take that step, why not just use the primary as your OpenID instead of delegating?
Man, that comment made my head hurt, I hope it makes sense on the page.
Your comment makes sense, but the fact that it makes your head hurt points to the general complexity of the idea. I am thinking in terms of end users, not really the readers of this blog who are likely very technical.
I like the delegation, but there would likely need to be some sort of automation or something to make it easy for normal people.
i disagree with most things said! but then again who am i to decide, some good points taken though 🙂
Delegation is a good solution for geeks today. It can be made easier, but since the barrier is being able to edit the source of a webpage or website, that is more likely the limiting factor, rather than how hard delegation is, by itself.
Carsten is right about associating multiple identifiers with a single remote account, though that can be tedious. If a site allows you to sign in with OpenID and then requires you (or gives you the option) to associate a verified email to your account, they’re already set up for allowing you to have backups for accessing your account.
I’m going to blog about the OAuth and OpenID situation. While you raise a good observation (essentially: “why can’t we all just get along?”) the issue is both more complicated and more nuanced than just merging the protocols.
On one level, the two protocols have different legal agreements associated with them; on another, they serve as better compliments than as a monolithic protocol. That isn’t to say that they won’t grow closer together over time — only that there are reasons why we have two protocols today instead of one. The Google Hybrid stuff is definitely promising though, and is probably the necessary in-between step towards getting to what you’re talking about.
Yes, associating an email is a good option as well.
I also agree with Rob that delegation can be made easier. Delegatid.com is a great service. Though there just have to be some plugins for blogging platforms and it will be even greater.
And yes, delegation usually works only for people who run blogs and other websites themselves. Services like DandyID may help here. The DandyID profile URL can be delegated to an OpenID provider. But then, signing up for another service only for delegation is probably not a viable solution.
It is good to hear that everyone involved is thinking about OpenID, OAuth and the connection between the two. The whole security space is still very tech/geek, and I am trying to think about it from the user perspective to see how far we really are.
Feel free to disagree with me, especially on security. I am not a security expert, so some would say I have no business talking about it. The reason I leave comments open, is so I can hear various opinions. You never know who you are going to learn from on any given day.
Comments are closed.