Thursday, July 24, 2008

Single Digital Identity

OpenID is an open source alliance that facilitates user-centric digital identity for multiple websites. This type of system aims to remove the need for multiple user names and password by using a single identity system to login to member sites. The user chooses the OpenID Provider they trust and this unique login stays with them, irrespective of which website they move to along as the site supports OpenID profiles.

For business, this means a reduced cost per unit of password and account management, while gaining new website visitor traffic. OpenID for some will reduce the frustration of having to login and maintain multiple profiles.

OpenID is increasingly gaining adoption among large sites, with organizations like BBC, Google, MySpace, AOL, IBM, Microsoft, VeriSign, and Yahoo! just to name a few.

Critics of this type of system see a threat of identity fraud due to potential security weaknesses. Phishing (Password Fishing) attacks may fraudulently steal the identity of a person or organisation with the objective of gaining access to personal information.

Take this scenario for example; a hacker forwards the user to a fake MySpace page asking the user to input their authentication details. On completion of this, the hacker who also controls the false OpenID authentication page could then have access to the end-user's account with MySpace, and subsequently use that end-user’s login details to gain access to other services such as Yahoo! to gain information about their online banking.

Another criticism of a single digital identity system adding third party ID providers into the equation increases the complexity and thereby risk of security weaknesses. This may be the start of an international passport for the internet and therefore needs to be given the same level of identity checks and balances to ensure the quality of the authentication.

No comments: