Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

rwandering.net

The blogged wandering of Robert W. Anderson

How many OpenIDs do I need?

The Internet Identity Workshop 2008a (aliases IIW2008a and IIW6) got me thinking more about the problem of having so many distinct logons across the Internet.

Solving this problem is one motivation of the OpenID project.  OpenID and other technologies (like SAML and Information Cards) help us share credentials across sites, allowing us to simplify this problem of having too many sets of credentials, but they don’t make the problem go away.  Even if all sites accepted OpenID (as Relying Parties), one set of credentials is just not a good idea.   Why?

  • If your credentials get stolen all online accounts that share those credentials are also compromised.  Given that OpenID providers tend to store a list of sites that you have approved, a thief could also gain access to that list, making it very easy to quickly find and logon to those accounts.
  • Cross-service correlation — the ability to match your accounts across multiple services.  While it is possible without multiple credentials and logons, it becomes easier when the credentials are the same.  Perhaps you don’t want to make it any easier for your services to share your data?  Or for the government to correlate it?

Of course, OpenID isn’t the problem here.  These problems exist without unified identity.  For example, many people re-use credentials from site to site making it possible for stolen credentials to be used in many places.  This similar problem is often worse in that it also engenders weak passwords plus you’ve shared your password with many services who may get your credentials in the clear.  Correlation today is also trivial when people tend to choose the same logon again and again (e.g., rwandering) or the logon is actually just your email address. 

So, these problems aren’t so new.  And while they do represent good reasons not to have a single identity, having 273 separate logons is too many.  So, how many identities do I need?  Where is the middle ground between 1 global identity and 1 logon per service?

I think this is particularly important with campaigns like Demand OpenID going on. 

So, if this hasn’t happened already, it would be useful for the community to develop some material to help users make choices about sharing their credentials between sites.  This would help users make better decisions on how to use OpenID.

Is someone working on this?

Tags: , , , , ,

    Trackback

2 Comments »

    Expert Texture » OpenID isn’t ready for prime time wrote @ May 22nd, 2008 at 6:40 pm

[...] other day, I wrote How many OpenIDs do I need?  The premise was that the Identity Community needs to help educate users on the choices [...]

    Expert Texture » OpenID and the Relying Party Patchwork wrote @ June 24th, 2008 at 12:11 pm

[...] Sharing one credential across all of your Internet services is not a good idea.  See How many OpenIDs do I need? [...]

Your comment

HTML-Tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>