Solving this problem is one motivation of the OpenID project. OpenID and other technologies (like SAML and Information Cards) help us share credentials across sites, allowing us to simplify this problem of having too many sets of credentials, but they don’t make the problem go away. Even if all sites accepted OpenID (as Relying Parties), one set of credentials is just not a good idea. Why?
- If your credentials get stolen all online accounts that share those credentials are also compromised. Given that OpenID providers tend to store a list of sites that you have approved, a thief could also gain access to that list, making it very easy to quickly find and logon to those accounts.
- Cross-service correlation — the ability to match your accounts across multiple services. While it is possible without multiple credentials and logons, it becomes easier when the credentials are the same. Perhaps you don’t want to make it any easier for your services to share your data? Or for the government to correlate it?
Of course, OpenID isn’t the problem here. These problems exist without unified identity. For example, many people re-use credentials from site to site making it possible for stolen credentials to be used in many places. This similar problem is often worse in that it also engenders weak passwords plus you’ve shared your password with many services who may get your credentials in the clear. Correlation today is also trivial when people tend to choose the same logon again and again (e.g., rwandering) or the logon is actually just your email address.
So, these problems aren’t so new. And while they do represent good reasons not to have a single identity, having 273 separate logons is too many. So, how many identities do I need? Where is the middle ground between 1 global identity and 1 logon per service?
I think this is particularly important with campaigns like Demand OpenID going on.
So, if this hasn’t happened already, it would be useful for the community to develop some material to help users make choices about sharing their credentials between sites. This would help users make better decisions on how to use OpenID.
Is someone working on this?