This is my completely non-technical explanation of OpenID. I felt after all the OpenID buzz last week there was a need for such, seeing that even the BBC wrote a story that focuses on how it technically works first, instead of on how it works for you.
Chances are you’re reading this because you’re a friend, and you already know all of this stuff. If so, I hope you’ll find it a useful (and good enough) piece to refer your uninitiated friends to. Here goes.
Why do you want it?
Because you’re tired of getting yet another username/password combo to remember every time you discover a cool new web service. Having just one username and one password for everything would be so much more convenient, right?
You may have tried that already, but it didn’t really work – some sites want passwords with numbers in it, some sites want at least eight characters, some don’t like your chosen username. And besides, it’s dangerous to reuse the same passwords, too: let’s say, you create an account on my website and I want to be nasty – I figure out your email address (probably you gave that to me when you created an account) and I’ll have a good chance that I can read your email – because you used the same password for my site as for your webmail…
How OpenID works for you
OpenID solves the problem: in my words, it is a protocol that lets all websites that you want to register with use the same sign-on system. What you need to have is what I’ll call an OpenID address. When you subscribe to a website, you tell it your OpenID address, just like you used tell it your email address before. Now, when you want to sign on at that website later, the website asks your OpenID provider to check on you. Let’s see how that typically works, broken down into a few steps:
- You begin to sign on to a website A by telling that website your OpenID address.
- Website A sends a request to your OpenID address to check on you.
- You’re sent to the website of your OpenID provider to sign on.
- Your OpenID provider tells website A that you’re ok.
- Website A allows you to get in.
This clearly solves two problems I raised above:
- You only have to remember one way to sign on now.
- Website A never gets to see your password: that’s between you and your OpenID provider.
But that’s not all. OpenID has more to offer. If you wish, you can for example let your OpenID provider share personal details with the websites you visit – so you won’t have to enter things like your gender and location again and again when joining new web communities. Here, I’m deliberately leaving many details out, hence the title: a first introduction.
Your OpenID provider is much like your email provider
Think it’s scary to access all your accounts on the web from one point? In a way, you’re probably already doing that, although you may not have realised.
Think about what usually happens when you forget your password to some website A. You go and click “recover my password”, and you get an email with a magic link that allows you to change your password. In other words, website A assumes that only you can open your email. So you better have a pretty strong password to your webmail: anyone who can access your email can reset the passwords to most web services you use.
With your OpenID, it works almost exactly the same: instead of checking who you are through your email address, websites now check on you through your OpenID address. And just like someone who breaks into your email box, someone who breaks into your OpenID account can access all your web services. You’ve chosen an email provider that you trust not to read or mess with your emails. You should choose an OpenID provider that you trust in the same way.
Do you need an OpenID right now?
There’s no hurry: I think you will find that most websites you use don’t allow OpenID sign-on yet. That’s good, because there are some security and privacy caveats that we need to become aware of: nothing to really worry about as far as I can see, but it’s important to be sufficiently aware and make smart choices. I’m planning to look into this in a little more detail before I start using OpenID seriously, and of course I plan to then write a bit about this – probably the piece will be called something like “choose your OpenID provider carefully” – your thoughts and advice on the topic are appreciated!
In the mean time, you can of course help to accelerate the adoption of this neat protocol by prodding your favourite websites to start using it. Here’s a template email to send them.
Like I said, OpenID is a much richer system than I’ve presented it to be here. I’ve skipped all the technical details – I haven’t even told you your OpenID login name will be just a web address. Should I have told you that the main idea is that “a URL is an identity”? I’ve never seen anyone starting to explain email by saying that that’s using domain name with a user name slapped onto it, and directly jumping into the details of how SMTP servers find each other… But by presenting OpenID as merely another sign-on solution I may not have done justice to it either.
So, please, do read more about it. You’ll find that OpenID is a very open protocol that gives you more freedom than any other sign-on solution before it. In fact, with OpenID you can be your own OpenID provider if you wish. And also: you get to choose how strict and secure you want your logins to be.
An obvious starting point for further reading is Wikipedia, although the page that’s up currently isn’t a very easy read (let’s change that!). Some manageable primers, perhaps a step up from this one, can be found here, here, here, and here. You may also find some good blog posts through Planet OpenID. Enjoy!