Design Build Test Repeat

Voluntarily cast upon the waves of outrageous fortune, this lowly geek flops from peak to peak of the technological ocean. Linux, Windows, C, Ruby, Python and embedded systems all attempt to pull our stalwart hero down. Will he survive alone or will the lifeboat of corporate servitude be too tempting.

OpenID: Don’t we all have a unique adress anyway?

Posted by Diarmuid on March 9, 2007

OpenID is gaining traction, and anything that can eliminate the headache of having to re implement a password management system for every website , has to be a good thing. There are implementations of it for most web languages (while there is some moaning that the dot net imps. are a port of a python version) and a number of hosters.

My whinge about it is why not just use  email? The theory behind OpenID is that you own an Uri that is unique to  you. You go to the website you want to log into, type in this url, it redirects you to the provider, you enter credentials, are logged in, then redirected back to the original site again. This is similar to the pay pal payment redirection model.

Let’s take the example of how user using a conventional authentication system gets a password. They enter the username and password and then an email address (most sites now just use email as your username). They are sent a “click this url to prove this is you” email ,whicch they  do and they are in. If they lose their password, they go through the same process again. Does this not show that the ultimate authentication mechanism is email.

Now, I  know there are some issues with this as email is not  instantaneous if you are using a pop based email or outlook, etc, but for most users , and all users if they would open a web based email, it’s pretty close to instantaneous. It could be abused by users sending login emails to other users, but that is not any different from current password reset methods.

So my call to  web developers, explain why an email based authentication would not work

  1. User goes to http://www.iwanttousethiswebsite.com
  2. User types in email address myname@yahoo.com
  3. http://www.iwanttousethiswebsite.com send an email  to  myname@yahoo.com
  4. The mail will contain a url like http://www.iwanttousethiswebsite.com/login/1234-2345-qqwsedtod-swqjduehs-etc-etc
  5. At the same time the site stores the relationship between this unique id and the email address
  6. User goes to email site, and opens up the email from http://www.iwanttousethiswebsite.com.
  7. They click on the url and are take to the website where the back end code validates the id is genuine and logs the user in.
  8. At that point the user has the opportunity to modify the data relating to them, like display name, interests etc.
  9. The next time they log in, the same thing happens

Now, I think that would work, and I’m going to try it with a new website I am building in the area of citizen empowerment. Should be interesting.

Diarmuid

Advertisements

10 Responses to “OpenID: Don’t we all have a unique adress anyway?”

  1. I believe the key difference is single sign-on. Once you’ve authenticated to your OpenID provider (your blog), you then are automatically authenticated to requesting sites.

    So, in your example…
    1. You go to iwanttousethiswebsite.com
    2. User types in their OpenID URI
    3. User is redirected to their OpenID URI
    4. User types their login / password / whatever information (not standardized)
    5. User is redirected to iwanttousethiswebsite.com with an authentication token

    Now, if they want to go to iwanttouseadifferentwebsite.com, they don’t have to complete step #4, so steps 3 and 5 happen _very quickly_.

    Now, I’m not sure if this is actually how it works, since I haven’t started using OpenID for anything, but this is in general the idea behind other SSO approaches.

  2. The problem with email is spam. And people are tired of that and don’t want anymore to transmit their email adress. Of course it depends on people but letting my website adress can prevent me from that.

    Anyway, interesting reflexion.

  3. Hoack said

    I see several problems with the approach you suggest.

    1. In order to use it, it’s required that the use have an access to an e-mail account (and, preferably, to the one he/she would like to have registered with the service). This immediately cuts off several huge segments of users – for example, corporate users who cannot open a web-based email on their work PC, and who don’t want to use their work email on the site.

    2. The solution requires that every time I have to log in to some site I have to receive a useless e-mail message, which I would have to manually delete afterwards. I don’t want this extra effort.

    3. In my opinion, email accounts are less secure than standalone OpenID accounts.

  4. Using email would NOT work. It’s not just that spam is a drawback, it’s totally unworkable due to other problems.

    It’s vulnerable to attack since email is typically neither encrypted in transit nor authenticated, so it’s possible for an attacker to see the plaintext of an email intended for another person just by running a sniffer and then access the login URL, logging in in their place. Ability to read unencrypted email traffic is no indicator that you are the legitimate owner of the account in question. Even trying to mitigate this risk with PKI would complicate matters since you need to verify your public key to the site you want to log into anyway. This is equivalent to the very problem we’re trying to solve.

    Ultimately though your solution is actually too complex, since what you’re proposing is out-of-band authentication, you authenticate for web access with email access. What if you’re browsing the web somewhere where you don’t have access to your email? To log in to a website, you should only need access to the web. Many email providers offer webmail, but many don’t. Email delivery often has high latency as well, so you could wait 5-10 minutes to log into a website.

    This also assumes that the website you’re trying to access has a hosting provider that lets them send email, probably not a good assumption. With OpenID you don’t need to do anything but be able to run scripts on your webhost to authenticate your users, certainly something which is already a prerequisite to offering the service itself that users are authenticating to.

  5. […] Design Build Test Repeat: So my call to web developers, explain why an email based authentication would not […]

  6. dwrenne said

    Thanks for the input guys.

    I know it is not as secure, that you have to have an accessible email account, and that people are annoyed by spam, but I think for the VAST majority of sites out there that are just run of the mill, log in to make a comment, or leave a bookmark or whatever, it would be fine. I don’t mean do your online banking with email or “authmail” as I’m calling it (copyrighted in 38.5 countries).

    BTW, this was my first use of digg ever. I had to sign in and wait for the verification email to my yahoo account. It was at least 2 minutes!!! Kinds of deflates my argument a bit. Still the user could indicate when they authenticate how long the cookie is to last for, so that might only have to be once a month or however long the user wants.

    I have ordered 3 ruby on rails books from Amazon, so when I get those I’ll start on the website.

    Thanks again for the comments

    Diarmuid

  7. Ilya Lichtenstein said

    If anything, OpenID is even more insecure than email. It seems like I’m the only blogger who’s not in love with the OpenID concept. See my post here: http://neomeme.wordpress.com/2007/02/28/why-openid-is-going-to-destroy-the-internet/

  8. Doug Karr said

    I can’t imagine waiting on email to login to a system every time. As well, there would be issues with spam filters, junk email filters, full mail boxes, MTA (Mail Transfer Agent) errors, routing issues, etc.

  9. dwrenne said

    Hi Doug,
    In reality, you don’t log in every time you use a website. Even my email logs me in for 24 hours. That could be extended as long as the user wishes

    Diarmuid

  10. jack3_ae said

    www. ru

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: