Each time a person registers with a new website, they are required to share personal identifying information. This can include names, addresses, email addresses, phone numbers, and usernames and passwords. This information is vulnerable to a number of threats. Untrustworthy organizations can sell the information, thereby exposing a person to unsolicited telephone calls, mailings, and spam email. Even worse, if hacked or stolen, the information can be used to steal a person’s identity and potentially gain access to their other online accounts.
Aggravating the problem is the fact that the average Internet user has registered accounts with over a dozen websites. This exponentially increases the chances of their personal data being compromised.
A closely related problem lies in the fact that people must try to remember usernames and passwords for all of the websites in which they interact. To make remembering easier, many people use the same password to access multiple sites. This practice makes their accounts less secure and more vulnerable to cyber attacks, such as phishing, click-jacking, and cross-site scripting.
In response to problems such as these, the Obama administration is drafting plans for a forthcoming cyber-security effort intended to create an Internet ID for Americans. Although details of the plan are scarce, U.S. Commerce Secretary Gary Locke shed some light on the plan during its announcement this past November at the Stanford Institute for Economic Policy Research, “What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”
OpenID is a promising technology intended to bolster cyber-security by solving the multiple accounts and passwords problem. OpenID is a standards-based Single Sign-On (SSO) protocol that allows users to log in to multiple websites using a single login credential. With OpenID, users leverage the authentication services of a third-party identification provider (OpenID provider) to verify their identity and enable login with participating websites (relying parties). This process removes the need to create separate accounts for each website.
By enabling a person to pick a single identity provider, they only need to remember a single username and password. The provider then vouches for the identity of that person when they access a site supporting OpenID. Allowing account and profile information to be shared with the relying party protects sensitive account information from being transmitted back and forth over the Internet for each login instance. With OpenID, users are authenticated once and always by the same source. The following summarizes several benefits provided by OpenID:
- Significantly reduces the risk of compromised account information.
- Eliminates password overload and exhaustion—users maintain only one username and password.
- Reduces IT help desk workload as they no longer need to store account information and passwords for users authenticating via OpenID.
The OpenID protocol is rapidly gaining momentum in the private sector. Many popular commercial websites, including Google, Yahoo, and AOL, already provide OpenID services to their registered account holders. OpenID also has a role to play in open government. In response to the White House’s Open Government Initiative, the OpenID Foundation is working with the U.S. General Services Administration (GSA) to create open trust frameworks for their respective communities.