Venus AUEB Forum

Microsoft to back open ID scheme

Many web users have lots of logins for different sites

A plan to make it easier for web users to manage their online identities has won the support of Microsoft.

The Open ID scheme uses web addresses that people already own to help authenticate their identity.

In this way it tries to reduce the number of names and passwords that people have to remember and manage.

As part of the deal Microsoft is sharing some of its technology with Open ID developers and will include it in future identity-related products.

Identity cards

The Open ID community, which is a loose coalition of programmers, is wrestling with ways to handle the different sorts of identification that use of the web demands.

Sites such as online banks understandably demand far more rigorous guarantees about someone's identity than places such as discussion forums which are far more informal.

However, many sites still rely on one-size-fits-all user name and password systems which get increasingly cumbersome to manage and have many well-documented shortcomings.

"Some blog environments want anonymous people to say anything, and in other environments, they want you to represent some credentials about who you are," said Bill Gates announcing the tie-up between Microsoft and the Open ID scheme. "And that's just not going to scale with the kind of password thing we have today."

Open ID aims to remove this trouble by using the personal web addresses that people maintain as a guarantee of their identity.

When they want to login to a site, instead of a name and password, they supply their web address. In the background the technical set up of the Open ID scheme checks and verifies that site.

Microsoft has got involved to supply a technology it is developing called InfoCards to add more flexibility to the scheme.

The InfoCard program gives users a way to identify themselves with varying degrees of detail depending on who is asking for information about them. Each InfoCard acts like a virtual index card that can store different sorts of ID information for different purposes.

Backing Open ID alongside Microsoft are Verisign, Sxip and JanRain. The announcement about the tie-up was made at the 2007 RSA security conference.

Microsoft has committed to putting Open ID technology into future identity servers but it is not yet clear how this will affect existing sign-on systems for MSN or Hotmail.

The first piece of the OpenID framework is authentication -- how you prove ownership of a URI. Today, websites require usernames and passwords to login, which means that many people use the same password everywhere. With OpenID Authentication (see specs), your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider).

To login to an OpenID-enabled website (even one you've never been to before), just type your OpenID URI. The website will then redirect you to your OpenID Provider to login using whatever credentials it requires. Once authenticated, your OpenID provider will send you back to the website with the necessary credentials to log you in. By using Strong Authentication where needed, the OpenID Framework can be used for all types of transactions, both extending the use of pure single-sign-on as well as the sensitivity of data shared.

Beyond Authentication, the OpenID framework provides the means for users to share other components of their digital identity. By utilizing the emerging OpenID Attribute Exchange specification (see specs), users are able to clearly control what pieces of information can be shared by their Identity Provider, such as their name, address, or phone number.