Interview: Simon Willison on OpenID

OpenID expert Simon Willison shared some of his thoughts with Yahoo!'s Christian Heilmann on OpenID and the recent support by Yahoo!.

Hello Simon, it is quite hard to search for OpenID without stumbling over your name. What is it about the topic that fascinates you most?

It's really a combination of things. The first is that OpenID tackles a very real problem which affects everyone using the Web. The second is that it actually does very little - all OpenID really lets you do is "prove" that you own a specific URL, and everything else gets built on top of that one ability. Finally, I like that it's politically neutral - there have been plenty of other attempts at web- wide SSO that have failed because they relied on either a single organisation or a coalition, failing to respect the critical decentralised nature of the web.

What exactly is the problem that OpenID solves and how does it do that?

Fundamentally OpenID is about solving web-scale single sign-on. The number of sites which require users to sign in continues to explode, while those same users suffer from a severe case of sign-up fatigue. The most severe consequence of this is poor password management - users re-use the same password on many different sites, but this dramatically increases the chance that their password will be compromised - if just one of those sites has a security problem all of the user's accounts might be stolen.

With OpenID, user's just need to set one password with their OpenID provider. They can securely use that account to sign in to many different sites, without needing to manage many different passwords. Rather than Havi Hoffmanng dozens of potential attack targets, they need only focus on securing their relationship with one site.

Given that the idea of OpenID has been around for a while it is strange that it hasn't had much mainstream acceptance and coverage. What would you consider the biggest stumbling block in the way of OpenID becoming a mainstream technology.

While OpenID has seen a great deal of take-up on the provider side, there is still a notable dearth of consumers - sites which one can sign in to using an OpenID. Sites have been cautious of adopting OpenID because they don't completely understand the implications of doing so, and are often concerned that being an OpenID consumer means giving up their valuable user database. This is not the case: accepting OpenIDs doesn't mean you stop gathering user details, it just means that you don't need to store a password for every user.

Yahoo! now has started supporting OpenID. What is your opinion of the direction Yahoo! is going with it and is there something you'd like to see improved?

The Yahoo! implementation is very impressive. A major sticking point with OpenID is explaining it to users in terms that they will understand, and it's obvious that Yahoo! have put a great deal of thought in to this problem. The use of an anti-phishing seal is a nice step as well, although I'd love to see more robust phishing protection in the form of Yahoo! toolbar integration in the future. The use of OpenID 2.0's directed identity to improve usability (by allowing user's to enter just "yahoo.com" instead of their full OpenID) is a great step towards making OpenID accessible to a more mainstream audience. I'm concerned that the lack of support for OpenID 1.x may result in confusion when Yahoo! users try to sign in to other sites that have not yet upgraded to OpenID 2.0, but with careful error message design this shouldn't prove too much of a problem.

My personal dream feature would be for every one of my Yahoo! profile pages - on del.ici.ous, Upcoming, Flickr, Yahoo! Answers and more - to work as an OpenID. I'd like this not for authentication purposes but to let me "prove" my ownership of those profiles to other sites - I envisage all sorts of interesting mashups in the future based on users using OpenID to prove who they are on many different services.

Do you think Yahoo!'s move will have an impact on the common attitude towards OpenID? Who else is considering participation?

AOL quietly launched OpenID support last year, but are yet to promote it in any big way. Google have experimented with OpenID support in Blogger but so far haven't publicly shown an interest outside of that product. Microsoft announced a commitment to OpenID early in 2007 but again they have yet to follow up with an actual product launch. I think Yahoo!'s support will be an enormous boost for the adoption OpenID 2.0 and will help put OpenID in general in front of a much wider audience.

Is there any technology that you consider to be obsolete if OpenID sees wider adoption?

I don't really see OpenID as a replacement for existing technologies; it's more of an enhancement. For example, I expect sites to continue to allow users who don't understand or wish to use OpenID to sign up using a regular username and password - there's no reason a user account can't be signed in to using either a password or an OpenID.

Before OpenID become a realistic option, a number of companies created their own proprietary authentication APIs. I would not be surprised to see these slowly phased out in favour of OpenID. It certainly would not make sense to invent new proprietary authentication mechanisms now that OpenID 2.0 is a published specification.

One of the biggest concerns about internet usage is security. Is OpenID safer than other technologies and what are its vulnerabilities? Can I steal someone's identity by getting access to his computer or are there more safeguards in place?

An interesting thing about OpenID is that it doesn't actually dictate how a user should authenticate with their OpenID provider. This has some interesting consequences: it's possible for providers to have very poor security (in fact one already exists that deliberately has no security at all, allowing anyone to use any of the OpenIDs hosted at that service), but other providers are actively competing in providing a more secure service. Personally I would love to see a provider that offers one-time passwords in a disposable booklet, as is the case with some banks.

Phishing remains the number one security concern, although it affects far more than just OpenID . The most promising avenues for protection against phishing involve direct integration with the browser, either as extensions or as features built in to the browser itself. I expect to see a lot of activity in this area over the next year.

What OpenID resources do you typically refer people to?

The official site, http://openid.net/, had an excellent redesign quite recently which made it a much friendlier place for new users to find out about the technology.

See Also