Authentication: OpenID

Zhezhu Wen
2008-12-04

1
A Traditional Authentication Scheme

2
 But…
• Problem with traditional authentication
– Each server requires unique credentials

– To end-user side, it means, each web site

(apps) requires one credential.
• The more website you are registering, the more
credential information you need to memorize.
– To developers, it is a burden for developing
authentication schemes for each one of them.

3
 Introduction of OpenID
• OpenID is a service, framework, and protocol
that is revolutionizing the realm of user
authentication and identity services.
• Started in 2004 by Brad Fitzpatrick.
• It offers a distributed, reliable, and open way
for web sites to authenticate their users and
saves web developers from the need to write
yet another piece of authentication code.

4
 OpenID Awarness

According to: Independent study on OpenID

awareness using Mechanical Turk, 2008

5
 Terminologies for OpenID
• End-user
– The person who wants to assert his or her identity
to a site.
• Identifier
– The URL or XRI chosen by the end-user as their
OpenID identifier.
• OpenID provider (OP)
– A service provider offering the service of
registering OpenID URLs or XRIs and providing
OpenID authentication (and possibly other
identity services).

6
Terminologies for OpenID (contd.)
• Relying party
– The site that wants to verify the end-user's identifier.
Sometimes also called a "service provider".
• Server or server-agent
– The server that verifies the end-user's identifier. This
may be the end-user's own server (such as their blog),
or a server operated by an identity provider.
• User-agent
– The program (such as a browser) that the end-user is
using to access an identity provider or a relying party.

7
The OpenID Authentication Scheme

8
The OpenID Authentication Flow

9
 Practice
• Login to MIT tech review website.
• With OpenID Provider
http://www.myopenid.com

10
 Advantage of OpenID
• For Business,
– Lower cost of password and account
management.
– Make users easier to come and join the online
service.
• For Users,
– Open, decentralized, free, user-centric
authentication mechanism.
• For Developers,
– Reutilization of existing technology (URL, HTTP,
SSL etc.)

11
 Current & Future
• OpenID Foundation was formed to assist
the model’s needed infrastructure and
general helping. (corporate members and
community members)
• As of November 2008, there are over 500
million OpenIDs on the Internet.
• Approximately 27,000 sites have
integrated OpenID consumer support.

12
 Criticism, Alternatives
• Vulnerable to phishing attacks. For
example… zombie OP.
• Uncomfortable truth – it is open source
and free.
• Alternative recommendations for the
specification.
• Aggressive Facebook Connect from the
other side.

13
 REFERENCES
• Protocol specification Ver 2.0, http://www.openid.net
• Independent study on OpenID awareness using Mechanical
Turk, 2008
• OpenID and Rails: Authentication 2.0, 2008
• Google offers limited support for OpenID , 2008

• Click the name of articles for originals.

14