We’re repeatedly seeing more and more accounts of accounts being hacked and passwords being stolen across the web. Â Take a look at the recent Gawker hack and all their hashed passwords being posted to torrent sites. Â People should also realize that there are many lists out there that take millions of common passwords and run them through all the standard hashing algorithms. Â This allows a hacker to quickly search through a list of hashed passwords and come up with the actual password you’re using. Â How many of us use this same password across multiple sites, or a very similar variant of the same password.
A few years ago I envisioned what the next generation OpenID platform might look like.  I’ve shared this with multiple people over the years and they all ask me why I haven’t built it yet.  I honestly just haven’t made the time so I feel like its time to give someone else the opportunity.  OpenID is great in that it allows you tohave a single strong password to authenticate you against multiple sites.  Many of you will have used Facebook Connect to go to websites and this is a very similar technology  Some of the things I noodle in the attached diagram TheNextGenOpenIDPlatform include stronger hardware based authentication devices, delegated account access, digital personas, linking of devices that can be remotely de-authorized, an analytics dashboard to find out who is using your identity and attributes, and synchronizing your attributes across all the places you go.
If there are any VCs listening I’m more than happy to start an angel round of investing and start building, I already have the team I’d use ready to go. 😉
Do you know the Stork Project?
(https://www.eid-stork.eu/) The aim of that project is to “establish a European eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID”
For now it’s already working in “beta” for some governament sites (Taxes, Universities, …) but I think it’s going in the right direction
When I used OpenID, I was using the Verisign PIP (personal identity portal). They offered multiple personas and I could choose to enter a different email address for each website (relaying party). PIP also supported two-factor authentication. I used the paypal football to login to my account. I eventually stopped using OpenID because of two issues.
First, there were so few places where it was accepted. I’d really like to have one central place where all my account information is stored. With OpenID, I could use it on a few sites, but then I ended up still needing to manage a list of username and passwords for sites where OpenID was not accepted.
Second, and I admit this is probably me putting my trust-no-one hat on, with OpenID, you still have the problem of a single point of failure. By using an OpenID provider, you are giving that provider the ability to impersonate you anywhere on the web. You REALLY need to trust your OpenID provider.
One compromise of your OpenID provider and not only all your existing accounts are compromised, but you can be impersonated anywhere on the web. It doesn’t matter if the compromise is due to a hacker, someone working at the site that hosts your provider (your employer maybe), or some sort of court order, the result is the same: someone who is not you can access all your sites and gain a wealth of personal information about you.
Eventually these two issues pushed me away from using OpenID. I switched to LastPass and use it to manage all my different logins. LastPass solves the above two issues for me. It’ll store the login information for any site I visit and generate secure passwords for new sites. It supports two-factor authentication. And the LastPass servers never see my individual account details because they are encrypted locally before being transmitted – meaning if anyone ever compromises LastPass’ servers, all they get is a bunch of encrypted data.
Because of my second, trust-no-one, issue, I don’t think I’d ever go back to using OpenID in its current form for personal use. I just wouldn’t trust it to keep my bank, stock, retirement account, etc. logins separate and safe. I think it would work well in an enterprise environment, IF you only used it to login to corporate sites. But I think PKI is a much better fit there.
I know I’m being too paranoid, and that reputable OpenID providers can be trusted. Heck, if we didn’t trust them we also couldn’t trust SSL/https. But if you’re proposing a next-gen OpenID, maybe some new ideas could be put into the protocol to make it impossible for the provider to go rogue.
@esev I fully agree that there aren’t enough places accepting OpenID and thats one of the main limiting factors. I think more public sites are accepting Facebook Connect and Twitter logins (through oAuth) than are using OpenID. One thing Facebook did really well was take many of the OpenID user patterns but dumb them down for the typical user. OpenID was always too geeky of an interface for the normal consumer to use. As for managing passwords I find that 1Password does a great job. They use AES128 encryption which is good enough for most 😉 They actually have a good description of how its all put together here.
http://help.agile.ws/1Password3/agile_keychain_design.html
As you know OpenID is very dependent on the domain. I almost believe that any commercial OpenID service should have a “bring you own domain” option. This way you could always migrate away if you stopped trusting the provider. Again, this is way to complex for most users to comprehend. I started seeing some relying parties accept multiple OpenID providers for each account. Talk about a usability nightmare. “So you’re telling me that I should have two accounts registered with each site in case one doesn’t work or they get hacked. Ugh, I’ll go back to username and password.”
I’m right with you on most of the issues you bring up. However, I think that PKI is too complex for most public users to understand and use, let alone relying parties to accept. I have the same problems with SAML being so point to point as well. If you get a chance check out Dan Kaminsky’s talks on DKI and Phreebird. Now that the DNS root is signed this might be an interesting way to roll out PKI to the rest of the world. It seems like the IETF has picked this up to investigate it lately (http://riosec.com/domain-key-infrastructure). I’ve been noodling that this might be a way to start authenticating non-person entities like computers, switches, etc to the network. It would also be much easier to deal with things like CRL lists and OCSPs since if you revoke a DKI the address just no longer resolves successfully.
@Filipe I’ve definitely seen Stork and think its a great project going on. I think they are doing it right by targeting young academics who will “get used to” using OpenID and have it grow up with them but I don’t think it will help see explosive growth of the technology. Here in the states we have an inherent distrust for our government that stems all the way back from the colony days. We trust companies like Google and Facebook with our personal data more than we do our government. Recently the US has started discussing the National Strategy for Trusted Identities in Cyberspace aka NSTIC (http://www.nist.gov/nstic/). I don’t think we’re there with OpenID yet, but I hope it can grow into something more useful.