What is it ?
OpenID is an open standard allows users to use existing credentials to sign in to many websites, without having to create separate usernames and passwords for each. In the system, there is an OpenID provider. The user may create OpenID account with any of the OpenID providers and use these credentials to identify themselves at different platforms. OpenID is decentralized and is not controlled by anyone.
A common example of where an OpenID is used is a passport. A person can use his passport to identify himself during the airport security check as well as to identify himself at the immigrations office or to identify himself at any other location.
There are three terms that used :
- Identity providers : They are the providers of the OpenID. A few examples of Identity providers today are Google, Facebook, Microsoft, etc.
- Identifiers : The number or sequence of characters (there could be other forms of identifiers too) that uniquely identify a user. In the case of the OpenID, it is a URL that uniquely identifies the user with the OpenID provider.
- Consumers : The parties who use the OpenID of the users to authenticate them.
With respect to the example of the passport, the government of a country is the identity (OpenID) provider. The passport number on the passport is the identifier of the citizen, and the airport security control authorities are the consumers that check authenticate the user on the basis of his ID.
Workflow with an example :
Suppose that Alice wants to sign up in the website abc.com. She already has an account with the OpenID provider Google.
- Alice visits the website abc.com
- She gets the option of either using her OpenID or creating a new username and password and she chooses to login using OpenID.
- The website searches for the OpenID provider that Alice specifies (which is Google in this case), and establishes an association handle with the provider.
- It then sends an authentication request to Google (essentially the website redirects Alice to sign into Google).
- Alice to signs into Google using her OpenID credentials.
- Google sends back the authentication response to abc.com.
- If successfully authenticated, Alice is redirected to abc.com and has successfully logged into abc.com.
Some of the advantages of the OpenID are :
- It accelerates the signup process as the user need not create a separate username and password.
- It saves users the headache of having to remember numerous passwords for different web sites as with the help of OpenID they can use their OpenID credentials for other websites. The users do not need to remember multiple passwords.
- The user can control the amount of information that is shared with OpenID supporting websites – whether they want to share only their username or their email id also.
- It minimize the risk when using same passwords for different websites. There are many users that use the same password for different websites. Thus if any one of these websites gets compromised, the password can be used to login into all the other websites that user has an account in. But with the help of OpenID, if the password gets compromised, it can simply be changed and the attacker would not be able to login to any other sites.
- The developer has advantages too. Not having to create usernames and passwords means that getting ridden from the worry of having to store them.
Some disadvantages of the OpenID standard are as follows :
- Decentralized : OpenID is decentralized and there is no global acceptance or standard for it.
- Privacy violation : Each time the user visits a site or carries out an online operation, the identity provider whose identity the user is using to identify himself, gets to know about it.
- Information shared : There is also the threat that your username and email id might get shared.
- Problem of trust : With OpenID, there is the problem of trust.
- Denial of Service attack : Without even having an OpenID, the user could try to log in with a fake OpenID credential. The website does not know that this is fake and sends a request to the OpenID provider. Of course the OpenID provider detects the non-existent account and denies access but already two requests have been sent – one from the user to the website and the other from the website to the OpenID provider. This in large numbers could get dangerous.