Dow Jones Reprints: This copy is for your personal, non-commercial use
only. To order presentation-ready copies for distribution to your
colleagues, clients or customers, use the Order Reprints tool at the
bottom of any article or visit
Regular Internet users know how difficult it can be to manage all of
the different user names and passwords required by the many Web sites
they frequently visit. Wouldn’t it be better if there were a simple
and secure way to log on to all Web content?
See the complete Inc. have attacked the “single sign-on” problem with
a variety of solutions, none of which has been widely adopted. Windows
Live ID, for example, only works with Microsoft-owned and -affiliated
sites. Critics say that another attempt, Security Assertion Markup
Language, produced by an alliance led by Sun, is too complex and
cumbersome for the average Web site.
Some users are promoting what they say is a simpler solution, created
by a blogging-software developer in San Francisco, that has been
adopted by thousands of Web sites. OpenID, as it’s called, is
attracting serious attention from Microsoft, AOL, Inc., each of which
says it is looking at ways to use the software across its own
extensive Internet properties. Microsoft recently adopted OpenID for
use with its HealthVault Web site, an online service that allows
consumers to store, manage and selectively share medical data.
OpenID is open-source, or nonproprietary, meaning others can adapt it
to their own needs. It was created in 2005 by the blogging-software
company Six Apart Ltd. for users of its , a blogging and social-
networking site that is now owned by the Russia-based Internet company
SUP. The software continues to be used mainly by blogs that require
user IDs and passwords, and by social networks. But proponents predict
it will become an important building block in an industrywide effort
to make it easier to surf the Web without so many passwords.
Such a goal can help online businesses as well. Web-site operators
spend millions each year helping users recover forgotten passwords,
according to Cambridge, Mass.-based Forrester Research Inc. Companies
also lose business whenever a customer fails to negotiate the log-in
process.
“OpenID provides a way of transcending the walled-garden model and
moving freely between different sites,” says Joseph Smarr, chief
platform architect of the social-networking site . Plaxo Inc.,
Mountain View, Calif., is an early adopter of the standard. “This
results in increased traffic, which is not only good for our business,
but everyone else’s too.”
Some critics have raised privacy and security concerns about OpenID,
saying the technology makes it easy for issuers of the IDs to track
users’ activities on the Web. Others cite concerns about vulnerability
to phishing, a form of Web fraud. But more than 22,000 Web sites
already accept OpenID, according to the OpenID Foundation, an
industry-supported nonprofit. Bill Washburn, executive director of the
Portland, Ore., foundation, says he expects that number to reach
50,000 before the end of the year.
Despite its promise, however, OpenID remains a far-from-universal
passport. For example, there are multiple issuers and versions of
OpenID, and each site that uses OpenID decides which version or issuer
it will accept. Major issuers include , a Web site run by JanRain
Inc., an open-source developer and designer of OpenID software based
in Portland, Ore. Yahoo and AOL also issue OpenIDs for use on both
affiliated and nonaffiliated sites, but currently neither company
accepts it on their main Web sites. A spokesperson for JanRain
acknowledges that different versions currently result in inconsistent
user experiences. But the company says that as more sites adopt OpenID
2.0, a new, more secure version, inconsistencies in user experiences
will disappear.
The format of the IDs looks slightly different for each site that
issues them. But they all work on the same principles. Those who go to
MyOpenID.com choose a user name and password and provide an email
address. They will then be assigned a Web-site address that serves as
their OpenID. Afterward, when the users visit selected sites, they
type their OpenID into the dialog box next to the OpenID icon. Their
browser is then redirected to MyOpenID.com, where they type in their
OpenID password.
In this way users can gain access to any OpenID-enabled Web site.
However, they are always bounced back to their OpenID provider to
authenticate their identity. So OpenID doesn’t eliminate the need to
log in altogether, but it enables users to use the same credentials to
sign into different Web sites.
Figuring out which sites accept which version of OpenID is mostly done
by trial and error, although it’s fairly common for sites to trust
MyOpenID as an identity provider. Some sites have an OpenID selector
or a pop-up menu with a list of the OpenID providers they accept.
Registered Yahoo users can get OpenIDs from . Yahoo.com itself still
requires members to sign in with a unique and Yahoo-specific user name
and password and doesn’t accept OpenIDs from other providers. “We’re
still in the evaluation and development phase,” says Raj Mata, senior
director in Yahoo’s membership platforms division. “As the technology
matures and consumers become more comfortable with OpenID, we’ll
explore how best to incorporate it into our properties and across the
Yahoo Network.”
Time Warner Inc.’s AOL incorporates users’ AOL or instant-messaging
screen names into the OpenIDs that it issues. While AOL itself doesn’t
accept sign-ins using its OpenID, it will work on such AOL sites as .
The company says it is working on adopting technology that will allow
it to roll out OpenID across its larger sites, including AOL itself.
Representatives of AOL and Yahoo, meanwhile, say it is likely at some
point in the future that each company will accept OpenIDs issued by
the other.
Privacy advocates have criticized OpenIDs because the companies that
issue them theoretically can track all of the Web sites that users
visit, giving the issuer a much more coherent view of a person’s
online activity than was previously possible. OpenID issuers could
then offer marketers targeted advertising opportunities for which they
can charge premium prices, says Pam Dixon, executive director of the
World Privacy Forum, a nonprofit based in Cardiff by the Sea, Calif.
Some security experts and privacy advocates also warn that OpenID
users are at heightened risk from phishing attacks. This is when a
fake Web site masquerades as a real one to capture user names,
passwords and other sensitive information such as credit card details.
Obtaining someone’s OpenID could provide a master key to many of the
Web sites the OpenID user frequents, along with personal data the user
has divulged on those sites.
The OpenID Foundation’s Mr. Washburn concedes phishing is a valid
concern, but says this criticism can be directed at most of the Web,
where users and sites interact with relatively little security.
Moreover, he says, OpenID in its current form isn’t meant to become
the dominant protocol for single sign-ins. As an open-source
technology, he says, it is simply a platform for others to build on.
Several OpenID providers are looking for ways to bolster the
software’s security features and so make it better protected for
commercial transactions. Recently AOL partnered with VeriSign Inc. to
bring AOL users a strong authentication option, whereby they can use
their AOL-issued OpenIDs in combination with security tokens issued by
VeriSign, a Mountain View, Calif., provider of third-party-
authentication solutions.
Microsoft, meanwhile, is using OpenID to authenticate users of its
HealthVault medical-records site. The site accepts authentication from
two OpenID providers: VeriSign and TrustBearer Labs, a privately held
provider of authentication devices such as smart cards, based in Fort
Wayne, Ind.
A Microsoft spokesperson says the software giant is also looking at
incorporating OpenID into some of its other products, but that
compatibility issues remain. The spokesperson says vulnerability to
phishing is a concern, and that Microsoft is working with a number of
companies on a possible fix.
Meanwhile, Mr. Washburn sees increasing opportunities in a wide-open
playing field. “It is not a competition where one technology will
emerge as the clear victor, such as was the case with Blu-ray vs. HD-
DVD,” he says. In the end, he says, “there will be no one solution,
but instead a well-articulated array of flourishing identity services
catering for the massive spectrum of needs out there.”
—Ms. Mills is a reporter for Dow Jones Newswires in London.
Write to Elaine Mills at .
Please fill out all required fields. Please enter a question. The
Question description should not be more than 2000 characters. Please
choose a category Please choose a SubCategory The language you used
does not comply with community standards. Please re-enter.
Your question to the Journal CommunityYour comments on articleswill
show your real name and not a username.
Why use your real name? The Journal Community encourages thoughtful
dialogue and meaningful connections between real people. We require
the use of your full name to authenticate your identity. The quality
of conversations can deteriorate when real identities are not
provided.
Create a profile to avoid this message in the future. (As a member you
agree to use your real name when participating in the Journal
Community)