User authentication is a key component of security practices. To allow certain operations in your websites, you first need to authenticate the user. To achieve this, there are plenty of methods. The most common is the login / password pair. Not the most secure but quite easy to deploy. One of the weakness of passwords is that we need more and more of them to authenticate against lot of different services and using the same credentials for all of them is certainly not the best way to manage them. Also, to enter passwords is really boring and save them in your browser configuration is not the best idea at all.
One of the access control technology to avoid repetitive login procedures is called SSO or Single Sign On: It allows you to authenticate ONCE and use MANY resources. Sounds very interesting but, on the other side, complicated to implement.
That’s why OpenID has been developed! Once authenticated against an OpenID server, you are free to use all services compatible with this system. OpenID offers not only classic password but also strong authentications with multiple factors (Token, Smartcard or USB key). It’s a plus for both side: webmasters can replace their local authentication method by OpenID and users can authenticate to more websites once recognized by an OpenID server.
OpenID is based on open source code and seems to be a good alternative to a self-made SSO system.
There is an online directory of websites supporting OpenID. And there are already Belgian sites!
I created my own OpenID to test the system. To be honest, it works quite well: Once you visit a compatible website, you can still choose the classic authentication method or OpenID. In the second case, you give your OpenID url and if required, you’ll be temporary redirected to the OpenID website for authentication.
Even if the system runs quite well (I didn’t yet performed a lot of tests), questions are coming:
- What about confidentiality? Can we trust OpenID? Who’s behind?
- What about performance? (it seems that servers are not available from time to time
- How to revoke your OpenID?
A plugin already exists for WordPress, I’ll try to install it on this blog! More to come!