An open, free, distributed Web authentication service

Mark Gibbs' Web site tips, plus network applications news headlines

How many accounts do you have on the Internet? If you have as many as I do you'll probably have some tool for managing all of your logins. I use Siber Systems' RoboForm but it has one problem - it is PC-based which means that if you have multiple machines on your desk or you work from multiple locations you have a portability problem to solve. Siber Systems has addressed this problem with RoboForm2Go, which makes their system portable using either regular or U3 USB drives. Even so, that presupposes that you always have your nerd stick with you and that if you do, you can plug it in.

A very different approach is offered by OpenID, a decentralized open, lightweight standard for online service authentication that is supported by multiple providers. The technology underlying OpenID is open source and supported by the nonprofit OpenID Foundation.

The way that OpenID works is very clever: I won’t bore you with the somewhat convoluted mechanism other than to say that it relies on a site that knows you to provide validation to a site that doesn’t know you as to your identity by passing you through to the validating site which returns your credentials – if you are interested in more detail I recommend the Wikipedia entry, which explains the method quite clearly.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

How many accounts do you have on the Internet? If you have as many as I do you'll probably have some tool for managing all of your logins. I use Siber Systems' RoboForm but it has one problem - it is PC-based which means that if you have multiple machines on your desk or you work from multiple locations you have a portability problem to solve. Siber Systems has addressed this problem with RoboForm2Go, which makes their system portable using either regular or U3 USB drives. Even so, that presupposes that you always have your nerd stick with you and that if you do, you can plug it in.

A very different approach is offered by OpenID, a decentralized open, lightweight standard for online service authentication that is supported by multiple providers. The technology underlying OpenID is open source and supported by the nonprofit OpenID Foundation.

The way that OpenID works is very clever: I won’t bore you with the somewhat convoluted mechanism other than to say that it relies on a site that knows you to provide validation to a site that doesn’t know you as to your identity by passing you through to the validating site which returns your credentials – if you are interested in more detail I recommend the Wikipedia entry, which explains the method quite clearly.

The Wikipedia article also covers the criticisms of the system, which are mainly concerned with issues of vulnerabilities that the system may have (these have yet to be substantiated).

Many of the major Internet players have bought into OpenID including Google, Yahoo, AOL, and VeriSign and it is claimed that there are now over 10,000 sites that support OpenID.

If you are developing or have an operational Web Application that uses authentication, this is a standard you should seriously consider adopting.

Read more about software in Network World's Software section.

Mark Gibbs is a consultant, author, journalist, columnist and blogger.