Thursday, December 27, 2007

Cool Technology of the Week

Over the past 2 months, I've been evaluating technologies to support flexible work arrangements such as working from home. I've tried MSN messaging, Yahoo IM, AOL AIM, Second Life, Wikis, Blogs, Facebook and Webex. Each one of these sites required me to establish a new user account. To be honest, I cannot remember which username and password is used with which site. OpenID is the cool technology of the week that can help solve this mess by creating "single sign on" across many vendor products.

The idea is simple - a web site serves as a trusted site for OpenID credentials. Other websites then trust this site, using it to authenticate users via simple well known internet standards ((URI, HTTP, SSL, Diffie-Hellman). By using OpenID, websites such as AOL, Technorati, Blogger, and Plaxo make it easy to signup and login, empowering users with one credential for all their instant messaging, blogging and social networking needs. The complete directory of all internet applications which support open ID is here. It's estimated that there are over 160-million OpenID users with nearly ten-thousand sites supporting OpenID logins.

There are caveats. Anyone can sign up to be a source of OpenIDs, so an unsuspecting user may sign up for credentials on an inscrutable site. Once their OpenID credentials are known, they could be used to by a hacker to break into banking or other sites not specifically OpenID enabled, since most users tend to reuse similar credentials at every site they access. There is no concept of certifying an OpenID provider or running a criminal record information check on folks who operate OpenID sites.

That being said, the OpenID, is certainly useful for those sites where security and identity pose little risk such as social networking and informational web sites. Also, OpenID could be very useful for intranets, where the provider of the OpenID is the institution itself and users then use OpenID to access applications running within the institution. In my next revision of the Harvard portal called eCommons, I will support OpenID as a means of linking together all the various domain credentials used in the Harvard environment.

In my opinion, the internet will eventually move to the concept of federated trust for authentication such as OpenID. OpenID will become even more powerful and useful when there is a credentialing mechanism to certify providers are trustworthy.


Adrian Gropper said...

OpenID is also worth consideration as a solution to the problem of patient identity on the Internet. The current approach to locating a medical record using Master Patient Index technology has both privacy and scalability problems when extended beyond a single enterprise with a well controlled user population.

Using OpenID, hospitals, labs and other medical services can allow patients to voluntarily specify and control the identity through which their personal medical records are accessed via the Internet. Enterprise identifiers would remain within the scope of the enterprise along with other private information. Federated trust can eliminate the need for government mandated identifiers as patients voluntarily choose the institution that will host their (medical) OpenID. By analogy to credit card federations, a consumer is free to identify herself with the credit card they choose and a merchant is free to accept or decline a credit card. The medical equivalent of a cash transaction would be one where the service is rendered anonymously and web access is restricted to a one-time password or pseudonym.

See Patient ID on the Internet for a more detailed discussion.

Unknown said...

John, Good post! I wanted to point out that there are IdP's who offer a heightened level of security. I work for Vidoop who is first off a security software company, but second an Idp that offers top tier security over it's users IdP account at no cost. There is a lot of talk in the most recent OpenID Spec (2.0) related to authentication for higher risk access. See for some extensive details. Thanks for thinking ahead.

gemstest said...

Hello Jon

here in the UK we are actively considering the adoption of OpenID as the basis for identity management for the National Institute for Health Research (

Dr Ben Toth