OpenID
| OpenID
|
|
|---|---|
 |
|
| Basic data
|
|
| Current version | 2.0 (December 5, 2007) |
| operating system | any (web-based) |
| License | usable free of charge |
| openid.net | |
OpenID ( English for open identification ) is a decentralized authentication system for web-based services . It allows a user who has logged in to his OpenID provider once with a user name and password, using the OpenID (a URL , also called an identifier in this context) without a user name and password to all websites that support the system - the relying parties - log in, so uses the single sign-on principle.
OpenID is decentralized and implements the concept of URL-based identity . In this respect, it is comparable to the Liberty Alliance Project , but the system is far less complex. Any OpenID provider can be guaranteed by the decentralization and operate an OpenID server.
use
Basic principle
An OpenID identity is required to log in with OpenID. This is provided by an OpenID provider. Due to its decentralized architecture, there are many different OpenID providers. Because the protocol is open, implementations exist in many programming languages. The software, which is exclusively licensed under open source , can be installed on its own server. This means that everyone can become an OpenID provider themselves with relatively little effort. Due to this fact, many websites offer OpenID identities in addition to their user accounts .
An OpenID takes the form of a URL . Usually the username is a subdomain of the OpenID provider: username.example.com . Some providers also use the username as the path in the URL: example.com/username . To be vendor-independent with your OpenID, it is recommended to use your own URL on your own web space as OpenID ( delegation ).
Websites that support OpenID as a login process can still offer a classic login (user name with associated password) in addition to OpenID login. If the classic login is not used, no functions such as “forgot password” need to be implemented. Furthermore, the user names and passwords no longer need to be saved mean that the website operator does not have to worry about security, which is shifted to the OpenID provider.
Usage details
An OpenID can be specified when registering a new user account on a website that supports OpenID login. Here is the website operator with the OpenID Simple Registration nine basic information from the OpenID provider obtained when the OpenID user agrees to this process and the relevant information has been deposited with the OpenID provider. This means that it is no longer absolutely necessary to enter the email address and name of every OpenID-enabled website when registering. Website operators do not always actually use all nine possible pieces of information. On the other hand, the disadvantage of using OpenID exclusively is that classic elements such as user names often cannot be used, so that full registration is preferred.
In the case of an existing "classic" user account on an OpenID-enabled site, it is usually possible to specify or remove OpenIDs later. As soon as an OpenID has been successfully connected to the user account, it can be used instead of the usual login with username and password.
The OpenID architecture makes it easier for the user to check a login page for authenticity, as he only has to remember the security-relevant features of a single login page instead of several, as is the case without single sign-on . The OpenID providers also ensure more security by setting cookies, showing an individual picture, comparing the HTTP referrer with the IP of the requester or using a client-side TLS certificate for authentication. The latter in particular is supported by more and more providers.
For the OpenID login procedure, the user is directed to the login page of the OpenID provider, on which the login takes place. For security reasons, another page appears, referring to the requesting page, which must be confirmed. If the page required for logging in has been marked as trusted by the user, the confirmation page can be deactivated with some OpenID providers so that it is no longer displayed for further OpenID logins. After the registration confirmation from the OpenID provider, the user is redirected to the actual website in the registered state. The exchange of login data can take place in such a way that the website receives up to nine pieces of information from the connected OpenID account with each login and is therefore always up to date. The user only needs to maintain this basic information with the OpenID provider. The user can also give his permanent consent to the data transfer to the website and then no longer has to indicate this at every login.
In some cases, OpenID providers and OpenID-enabled website operators have also implemented the newer OpenID Attribute Exchange Protocol for extended data exchange in addition to Simple Registration . Then the data is transferred that is supported by both of them. Here, too, the user has full control over his data and how it is passed on.
development
The underlying protocol was developed in 2005 by Brad Fitzpatrick , the founder of LiveJournal . In the meantime, OpenID is used by SixApart Ltd. alongside Fitzpatrick. also further developed by David Recordon, who switched to VeriSign , and mostly used together with Yadis or XRIs .
In June 2007 the OpenID Foundation was founded in the USA, whose task is the administration of copyright and trademark rights as well as marketing. The aim is to promote the spread and protection of OpenID. In the same month, the OpenID Europe Foundation was founded in Belgium, which carries out the same project in Europe.
In December 2007, the OpenID 2.0 specification was adopted, which is now exclusively supported by some providers and websites using it (e.g. Yahoo!). Until every website supports OpenID 2.0, not every OpenID can be used everywhere.
Comparable systems that offer more functions with higher complexity are the Shibboleth , Liberty and CardSpace projects based on the Security Assertion Markup Language (SAML) .
The OpenID Foundation wants to supplement the OpenID standard service with the Account Chooser . The Account Chooser should be especially easy to use.
distribution
In addition to countless small blogs and web portals , industry giants have implemented the standard and ensure that it is widely used. Yahoo has provided support, other companies such as Google , IBM , Microsoft , Myspace , PayPal and VeriSign also support the standard and some of them are already in use. This increases the number of active accounts to 368 million (as of January 2008). The options for using these accounts are still limited at the present time, as these providers do assign OpenID URLs to their users, but do not allow third-party accounts to log into their pages.
However, Facebook announced the full implementation of OpenID in April 2009. It is now possible for Facebook users to authenticate themselves with the OpenIDs of any provider. This increases the potential user base of OpenID to at least 1.23 billion.
So far, Google has only integrated OpenID for Yahoo customers. When you log in for the first time, no mail is sent, but forwarding to the OpenID service of Yahoo.
According to the German Federal Office for Information Security, around 50,000 Internet sites accepted OpenID in the third quarter of 2009.
In the meantime, OpenID is increasingly being replaced by OAuth with OpenID Connect , which offers more options.
criticism
OpenID's technology is vulnerable to phishing attacks. The reason for this is the fact that a redirect to the website of the OpenID provider is necessary. As the operator of a website that uses OpenID for registration, you can easily create a redirect to a page that is similar to the provider's website, but serves as a proxy and forwards the user name and password to the operator.
See also
- Identity management
- Mozilla Persona
- Facebook Connect
- OpenSocial
- OAuth
- Anonymity on the internet
- DataPortability
Web links
OpenID in general
- Official website (English)
- OpenID libraries. Libraries for various programming languages (English)
- OpenID Wiki
- openidgermany.de - OpenID Blog Germany ( Memento from November 14, 2013 in the Internet Archive )
- Introductory article on OpenID at heise Developer
Specialized OpenID providers
- Active services
- my.xlogon.net - German OpenID provider, multiple identities, multiple personas, only SSL-secured, anti-phishing support
- LogIn with PayPal International OpenID provider that uses various authentication methods such as username / password and the option of integrating OpenID into shop systems and payment systems both online and offline. This offers a very simple and fast connection of the OpenID in combination with a payment method.
- OpenID Deutsche Telekom (PDF) - Presentation on "OpenID connect @ Deutsche Telekom" (2014)
- ID4me - International non-profit organization that uses domains and the Domain Name System (DNS) as the basis for electronic identities and combines them with the tried and tested OpenID Connect and OAuth standards.
- Discontinued services
- clavid.ch - Swiss OpenID provider belonging to Swisscom, which supports various authentication methods such as username / password, browser certificate, OneTime passwords, SuisseID and the Axsionics InternetPassport (biometric). The OpenID service was discontinued on August 31, 2016.
- myON-ID - former German reputation network and OpenID provider, was discontinued on June 30, 2012
- MyOpenID - supported login via browser certificate or Windows CardSpace , was discontinued on February 1, 2014
- VeriSign Personal Identity Provider - service of the American software company Symantec , was discontinued on September 12, 2016.
- OpenID provider of the Institute for Internet Security The institute of the Westphalian University offered an OpenID provider that could use the eID function of the new German identity card (switched off in 2016).
Individual evidence
- ↑ OpenID: Store access data centrally and securely on the web. Retrieved July 21, 2011 .
- ↑ openid.net - Specification (English)
- ↑ a b OpenID Simple Registration 4. Response format with nine parameters: nickname (nickname), email (email address), fullname (real name), dob (date of birth), gender (gender), postcode (zip code), country (Country), language (language), timezone (timezone)
- ↑ OpenID Foundation makes a new attempt. Retrieved September 18, 2011 .
- ↑ Golem.de - Yahoo becomes OpenID-enabled
- ↑ TechCrunch - OpenID Welcomes Microsoft, Google, Verisign and IBM (English)
- ↑ insidefacebook.com - Facebook announces support for OpenID
- ↑ Facebook cracks the growth code. In: Frankfurter Allgemeine Zeitung . January 30, 2014, accessed April 29, 2014 .
- ↑ Management report - 3rd quarter 2009. (PDF) Federal Office for Information Security, 2009, p. 10 , accessed on January 17, 2011 .