By David Rosen

Last week we defined OpenID. This week we’re going to talk about why you might choose (or not choose) to use OpenID.

As promised, let’s discuss the Benefits…

Simplified Login
Single Username and Password for multiple sites. You only have to authenticate to OpenID one time per session. Once you are logged into your OpenID account, OpenID can automatically log you in to the other websites that you visit.

Unique Web Identity
No more wondering if the post by “CowboysFan” on one website is by the same person as “CowboysFan” on another website. OpenID’s are unique everywhere.

Information Management
OpenID servers have features such as “information profiles”, that let you control how much personal information each particular site has access to. Some sites might only get your name and email address, while you may allow others to automatically get your full contact information.

Decentralized
Anyone can run their own OpenID server. You’re not tied down to any particular company or bound to a proprietary system.

Security
The websites which accept OpenID never get your log in information. That information is only shared with your OpenID server. There is also the benefit of user customizable security level. You can define your own login method (or methods) for OpenID:

• Username and Password – just like normal
• Getting an SMS message that requires you to reply
• Choosing a sequence of pictures
• Receiving a phone call on your cell and pressing a button to allow the authentication
• Finger print scanner, USB Key, RSA tokens, etc…

As you can see, OpenID can make your online experience smoother and easier. It also provides social benefits, such as a unique identifier. Your online identity already spans multiple websites but it no longer has to span multiple names. You can be “you” everywhere. The security benefits of OpenID are nice, too. One of main reasons I use multiple passwords is that I don’t want to use the same password for my Online Bank that I use for posting comments on a blog. If the blog was setup incorrectly, then my password could be stolen and used maliciously. With OpenID, neither the blog nor the bank would ever see my password to begin with.

Speaking of security, that brings us to the Risks:

All Your Eggs in One Basket?
If your OpenID account is compromised, you can say “Bye, bye Humpty Dumpty” because everything tied to it is now gone.

Unique Web Identity
Overheard in the breakroom, “Hey look! I just found Bob’s OpenID posted on a personal ad at www.TranssexualNaziEskimos.com!”

Decentralized
Multiple points of failure: If your OpenID server has an outage, you can no longer log in to all the sites that use it.

Security
Phishing attacks now are a primary threat.

This list might be small, but the items on it are big. Some of the obvious solutions to the issues here break the features presented above. Don’t like having all of your eggs in one basket? Just create multiple OpenID accounts. It’s not the end of the world, but it does start to erode on a major selling point, the convenience factor. The most negative point here is Security. OpenID is a ripe target for phishers. “Phishing” is the process of attempting to trick users into just over their usernames and passwords, or other sensitive information. How? Come back next week for final segment of OpenID Explained, discussing the phishing risk in greater detail.