A decision by major vendors like Microsoft and Google to support an online single sign-on project may mean IT managers need to reconsider their identity management strategy.
The OpenID Foundation on Thursday said VeriSign and Yahoo have also become members of its board, offering a major boost towards a system that aims to use one user name and password combination to access a variety of Web sites. OpenID, which was started by LiveJournal creator Brad Fitzpatrick, claims more than 10,000 Web sites have implemented its framework. The support of Yahoo will substantially increase its potential user base, as the search and portal firm said its 248 million active registered users could use their logins on other OpenID sites last month.
“It’s evidence that there is new identity layer of the Web that is emergent and that really needs to be attended to and built up in a way that works for everybody,” OpenID Foundation executive director Bill Washburn said. “A lot of the work that’s happened with OpenID is from real young, excited and obviously highly intelligent individuals who are in that place where they don’t know it can’t be done, so they go ahead and do it.”
Nico Popp, VeriSign’s vice-president of innovation, said his organization has been unofficially involved with OpenID for two years, contributing to open source libraries and working on the specification. The reason the members are going public now, he said, is that they have finally come to an agreement on how to handle intellectual property related to the framework’s development.
The idea of an online single sign-on has been something of an IT industry Holy Grail. Microsoft tried, and failed, to develop a platform called Passport, while Sun Microsystems and private sector firms like the Royal Bank of Canada formed a coalition called the Liberty Alliance to achieve similar objectives.
“A lot of these things didn’t have a grassroots effort,” Popp observed. “It was either the vendors, or a big company trying to do that on its own.”
Anthony Nadalin, chief security architect for IBM Tivoli Software, noted that previous efforts around online ID management were focused on the enterprise, whereas OpenID is more of a consumer play. That said, everyday individuals will no doubt use such systems at work, which means IT managers will need to pay close attention to it.
“I don’t think you’re going to see enterprises go out and change the PKI infrastructure in their shops,” he said. “There needs to be some bridging that happens between OpenID and what happens on the back end as far as access to applications. And it should be done in a seamless way.”
Popp agreed, adding that while OpenID claims a large number of supporting Web sites, many of them aren’t the kind of portals consumers use every day. “You’ll start seeing the (OpenID) technologies embedded into these (identity management) solutions. They will be part of the software, part of the services that they acquire or integrate within the enterprise.”
A key lynchpin for adoption of OpenID will also be commercial providers that allow users to make payments and ID users of software-as-a-service systems such as Salesforce.com, said Andras Cser, Forrester’s senior analyst of security and risk management.
“What was announced today was not new protocols, it was support of something that’s been in existence for a while,” he said. “The technology is simple enough that really anyone can implement.”
A big focus over the next year will be on data portability – moving photos and text across social networking sites, for example – as well as better user experience, said Popp.
“There’s still too much typing in OpenID. We need to create this one or zero-click user experience. We’ve got to create more convenience,” he said.