A first introduction to OpenID

Key ring

Don’t you hate having your pockets full of keys – and your head full of passwords? photo by stopnlook

This is my completely non-technical explanation of OpenID. I felt after all the OpenID buzz last week there was a need for such, seeing that even the BBC wrote a story that focuses on how it technically works first, instead of on how it works for you.

Chances are you’re reading this because you’re a friend, and you already know all of this stuff. If so, I hope you’ll find it a useful (and good enough) piece to refer your uninitiated friends to. Here goes.

Why do you want it?

Because you’re tired of getting yet another username/password combo to remember every time you discover a cool new web service. Having just one username and one password for everything would be so much more convenient, right?

You may have tried that already, but it didn’t really work – some sites want passwords with numbers in it, some sites want at least eight characters, some don’t like your chosen username. And besides, it’s dangerous to reuse the same passwords, too: let’s say, you create an account on my website and I want to be nasty – I figure out your email address (probably you gave that to me when you created an account) and I’ll have a good chance that I can read your email – because you used the same password for my site as for your webmail…

How OpenID works for you

OpenID solves the problem: in my words, it is a protocol that lets all websites that you want to register with use the same sign-on system. What you need to have is what I’ll call an OpenID address. When you subscribe to a website, you tell it your OpenID address, just like you used tell it your email address before. Now, when you want to sign on at that website later, the website asks your OpenID provider to check on you. Let’s see how that typically works, broken down into a few steps:

    1. You begin to sign on to a website A by telling that website your OpenID address.
    2. Website A sends a request to your OpenID address to check on you.
    3. You’re sent to the website of your OpenID provider to sign on.
    4. Your OpenID provider tells website A that you’re ok.
    5. Website A allows you to get in.

      This clearly solves two problems I raised above:

        1. You only have to remember one way to sign on now.
        2. Website A never gets to see your password: that’s between you and your OpenID provider.

        But that’s not all. OpenID has more to offer. If you wish, you can for example let your OpenID provider share personal details with the websites you visit – so you won’t have to enter things like your gender and location again and again when joining new web communities. Here, I’m deliberately leaving many details out, hence the title: a first introduction.

          Your OpenID provider is much like your email provider

          Think it’s scary to access all your accounts on the web from one point? In a way, you’re probably already doing that, although you may not have realised.

          Think about what usually happens when you forget your password to some website A. You go and click “recover my password”, and you get an email with a magic link that allows you to change your password. In other words, website A assumes that only you can open your email. So you better have a pretty strong password to your webmail: anyone who can access your email can reset the passwords to most web services you use.

          With your OpenID, it works almost exactly the same: instead of checking who you are through your email address, websites now check on you through your OpenID address. And just like someone who breaks into your email box, someone who breaks into your OpenID account can access all your web services. You’ve chosen an email provider that you trust not to read or mess with your emails. You should choose an OpenID provider that you trust in the same way.

          Do you need an OpenID right now?

          There’s no hurry: I think you will find that most websites you use don’t allow OpenID sign-on yet. That’s good, because there are some security and privacy caveats that we need to become aware of: nothing to really worry about as far as I can see, but it’s important to be sufficiently aware and make smart choices. I’m planning to look into this in a little more detail before I start using OpenID seriously, and of course I plan to then write a bit about this – probably the piece will be called something like “choose your OpenID provider carefully” – your thoughts and advice on the topic are appreciated!

          In the mean time, you can of course help to accelerate the adoption of this neat protocol by prodding your favourite websites to start using it. Here’s a template email to send them.

          Further reading

          Like I said, OpenID is a much richer system than I’ve presented it to be here. I’ve skipped all the technical details – I haven’t even told you your OpenID login name will be just a web address. Should I have told you that the main idea is that “a URL is an identity”? I’ve never seen anyone starting to explain email by saying that that’s using domain name with a user name slapped onto it, and directly jumping into the details of how SMTP servers find each other… But by presenting OpenID as merely another sign-on solution I may not have done justice to it either.

          So, please, do read more about it. You’ll find that OpenID is a very open protocol that gives you more freedom than any other sign-on solution before it. In fact, with OpenID you can be your own OpenID provider if you wish. And also: you get to choose how strict and secure you want your logins to be.

          An obvious starting point for further reading is Wikipedia, although the page that’s up currently isn’t a very easy read (let’s change that!). Some manageable primers, perhaps a step up from this one, can be found here, here, here, and here. You may also find some good blog posts through Planet OpenID. Enjoy!


          6 Responses to “A first introduction to OpenID”

          1. 1 Bill Mullins 17 February 2008 at 1:03

            Hey YC,

            Thanks for the Thumbs Up on Stumble! I appreciate it. I have returned the favour.

            Take care,

            Bill Mullins

          2. 2 yungchin 19 February 2008 at 13:02

            Hi Bill, thanks for leaving a comment!
            Thanks for the thumbs up too – and I hope that means you like this page ;)

          3. 3 David 19 February 2008 at 15:45

            A nice high level review, as you say not may (any?) have seen to date that don’t end up delving into a myriad of code examples which leaves me confused in the technology rather than the customer experience aspects which are important.

            Good luck and hope you keep going, I’ll be back to learn in bite-sized chunks!


          4. 4 Anthony Lawrence 27 February 2008 at 15:47

            I wish more sites would use OpenID. Part of the reason they do not is that it’s unnecessarily complex and difficult to implement.

            Hint to people like OpenID that want to set standards: I don’t want to have to download libraries or DLL’s. I want a simple, simple, SIMPLE way to use your protocol. Take a page from Google’s book: look at their Maps and Charts API’s. Simple – ordinary http GETS. Anybody can integrate Google’s API’s. Yours needs to be just as easy.

          5. 5 yungchin 28 February 2008 at 8:56

            @David (I thought I replied here, but maybe it was in an email?) – thanks, as you can see nothing new has come up since. I think my idea to try and write essay-like posts only should go out the window – it turns out as too high a barrier to posting any thoughts at all…

            @Anthony – thanks for the link to your writing on the topic, it was a good read. As you said there, OpenID.net has issues with writing accessible content. I hadn’t realised that it was also hard to implement – sounds like there’s a consultancy business there once users start asking for OpenID :)

          1. 1 Too many OpenID providers? I don’t think so. « Free Thoughts Trackback on 10 October 2008 at 15:48
          Comments are currently closed.

          %d bloggers like this: