Openid Presentation

Authentication: OpenID Zhezhu Wen 2008-12-04

1

A Traditional Authentication Scheme

2

But… • Problem with traditional authentication – Each server requires unique credentials – To end-user side, it means, each web site (apps) requires one credential. • The more website you are registering, the more credential information you need to memorize.

– To developers, it is a burden for developing authentication schemes for each one of them. 3

Introduction of OpenID • OpenID is a service, framework, and protocol that is revolutionizing the realm of user authentication and identity services. • Started in 2004 by Brad Fitzpatrick. • It offers a distributed, reliable, and open way for web sites to authenticate their users and saves web developers from the need to write yet another piece of authentication code.

4

OpenID Awarness

According to: Independent study on OpenID awareness using Mechanical Turk, 2008 5

Terminologies for OpenID • End-user – The person who wants to assert his or her identity to a site.

• Identifier – The URL or XRI chosen by the end-user as their OpenID identifier.

• OpenID provider (OP) – A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services). 6

Terminologies for OpenID (contd.) • Relying party – The site that wants to verify the end-user's identifier. Sometimes also called a "service provider".

• Server or server-agent – The server that verifies the end-user's identifier. This may be the end-user's own server (such as their blog), or a server operated by an identity provider.

• User-agent – The program (such as a browser) that the end-user is using to access an identity provider or a relying party.

7

The OpenID Authentication Scheme

8

The OpenID Authentication Flow

9

Practice • Login to MIT tech review website. • With OpenID Provider http://www.myopenid.com

10

Advantage of OpenID • For Business, – Lower cost of password and account management. – Make users easier to come and join the online service.

• For Users, – Open, decentralized, free, user-centric authentication mechanism.

• For Developers, – Reutilization of existing technology (URL, HTTP, SSL etc.) 11

Current & Future • OpenID Foundation was formed to assist the model’s needed infrastructure and general helping. (corporate members and community members) • As of November 2008, there are over 500 million OpenIDs on the Internet. • Approximately 27,000 sites have integrated OpenID consumer support. 12

Criticism, Alternatives • Vulnerable to phishing attacks. For example… zombie OP. • Uncomfortable truth – it is open source and free. • Alternative recommendations for the specification. • Aggressive Facebook Connect from the other side. 13

REFERENCES • Protocol specification Ver 2.0, http://www.openid.net • Independent study on OpenID awareness using Mechanical Turk, 2008 • OpenID and Rails: Authentication 2.0, 2008 • Google offers limited support for OpenID , 2008

•

Click the name of articles for originals.

14