OpenID
OpenID (English for open identification) is a distributed authentication system for web-based services. It allows a user has logged in once with your username and password at his so-called OpenID provider, only with the help of the so-called OpenID ( a URL, in this context also called identifiers ) without a user name and password for all sites, the system supportive, the so-called relying parties to register.
OpenID is decentralized in structure and uses the concept of URL-based identity to. In this respect it is similar to the Liberty Alliance Project, however, is far less complex the system from. Guaranteed by the decentralization, any OpenID provider can be and operate an OpenID server.
- 6.1 OpenID generally
- 6.2 Specialized OpenID provider
Use
Basic principle
To Login with OpenID OpenID identity is required. Such identity is provided by an OpenID provider. Due to the decentralized architecture of OpenID there are many different OpenID provider. Since the protocol is open, there are implementations in many programming languages. The set exclusively under open source licenses software can be installed on a dedicated server. Thus, it is possible for anyone with relatively little effort to be even to the OpenID provider. Many websites offer because of this circumstance to their user accounts in addition every one ( or more) of OpenID identity (s ) to.
An OpenID is in the form of a URL. Usually, the user name is a subdomain of the OpenID provider: benutzername.example.com. Some vendors also use the user name as a path in the URL: example.com / username. To be independent with his OpenID from a specific provider, it is recommended that wherever possible a unique URL on their own web space to use as OpenID. This approach is called delegation.
Websites that support OpenID as a login process can continue to offer in addition to OpenID login a classic login (user with password ), or waive the classic logon. In the latter case, no functions have to be like a "Forgot password " implemented, continue to represent on the part of the website operator by the no longer to be stored usernames and passwords for the necessary security effort. This effort is shifting to the OpenID provider, is thus also decentralized.
Details on the use
An OpenID can be set during the registration of a new user account with a Web page that supports logon with OpenID. This nine basic information, the website operator can use the so-called OpenID Simple Registration from the OpenID provider supplies (if the OpenID user agrees to this process and has the corresponding information previously filed with the OpenID provider). Thus, it is no longer absolutely necessary to specify about his e -mail address and name in the registration at any OpenID -enabled website. Not always all nine possible information will actually be used by website operators. The disadvantage of an exclusive OpenID use consists in return is that classical elements such as user names often can not be used, so that a full registration is preferred.
For an existing "classic" user account an OpenID - enabled Web page, it is usually possible one or more OpenID ( s ) also subsequently specify or to remove them later. Once an OpenID has successfully connected to the user account, it can be used instead of the usual login with user name and password.
For the OpenID registration process, the user is redirected to the login page of the OpenID provider, where the local registration takes place. Another, indicative of the requesting website page that has to be confirmed for security reasons. If the Web page for which registration is required, has been marked by the user as trustworthy, the confirmation page can be disabled with some OpenID providers, so that they will no longer appear in other OpenID logins. After registration confirmation by the OpenID provider, the user is returned when logged on the actual site. The login data exchange can take place so that the website information up to nine of the connected OpenID account receives at each application and will always be up to date. The user only needs to maintain the OpenID provider, this basic information ie. The user can also permanently give his consent to the transfer of data to the website, and then do not have to specify them each time you login.
Partly have OpenID provider and OpenID -enabled website operator in addition to the Simple Registration and the newer OpenID Attribute Exchange protocol implemented for data sharing. Then, the data is transferred, supported by each of the two. Again, the user has full control of their data and their dissemination.
Development
The underlying protocol was established in 2005 by Brad Fitzpatrick, founder of LiveJournal, developed. Meanwhile OpenID is next to Fitzpatrick by Six Apart Ltd.. further developed by the exchanged VeriSign David Recordon and mostly used together with Yadis or XRIs.
In June 2007, was founded in the U.S., the OpenID Foundation, whose mission is the management of copyright and trademark rights and marketing. The goal is to promote the dissemination and protection of OpenID. In the same month was established in Belgium, the OpenID Europe Foundation, which operates selbiges projects in Europe.
In December 2007, the OpenID 2.0 specification was adopted, both by some providers as well -using pages (eg Yahoo! ) is now supported exclusively. Until each page OpenID 2.0 support, so it can not be used anywhere any OpenID.
Comparable systems that provide more functions at a higher complexity, the building on the Security Assertion Markup Language (SAML ) projects Shibboleth, Liberty and CardSpace.
The OpenID Foundation is to supplement with the Account Chooser the OpenID standard service. The Account Chooser must above all be easier to use.
Dissemination
Scattered with small blogs and web portals industry giants have implemented the standard and ensure a wide dissemination. Yahoo has implemented a support, other companies like Google, IBM, Microsoft, Myspace, PayPal and VeriSign are also behind the standard and have him partially already in use. Thus, the number of active accounts rises to 368 million (as of January 2008). The possible uses of these accounts are at the present time still limited because these providers namely assign their users OpenID URLs, however, do not allow any foreign account to login to their pages.
However, Facebook announced in April 2009 the full implementation of OpenID. Meanwhile, it is Facebook users possible to authenticate with the OpenIDs any provider. Thus, the potential user base of OpenID rises to at least 845 million
Google OpenID integrated so far only for Yahoo customers. On first entry, so no more mail to be sent, but it will be redirected to the OpenID service from Yahoo.
According to the German Federal Office for Security in Information Technology accepted in the third quarter of 2009, approximately 50,000 sites OpenID.
Criticism
The technology of OpenID is vulnerable against phishing attacks. This is due to the fact that a redirect to the page of the OpenID provider is necessary. As the operator of a site that uses OpenID to login, you can easily create a redirect to a page that resembles the provider side, but serves as a proxy and forwards the username and password to the operator.
However, for the user it is easier by the OpenID architecture to validate a login page for authenticity, because it security-related features have to remember only one login page, instead of several, as no single sign-on the case is. The OpenID provider also provide more security by about cookies set, show an individual picture, compare the HTTP Referer with the IP of the requester or by taking advantage of a client-side TLS certificate for authentication. Especially the latter is supported by more and more providers.