By Larry Drebes | Posted on April 20, 2007
One of the most appealing features of OpenID is being able to consolidate your login authentication around a single OpenID server. This means that instead of creating and remembering a new password for every new site you want to visit, you can use a single (strong! ) password at an OpenID provider like myopenid.com, and use your login there as your credentials for any OpenID-enabled site you want to visit.
That’s the benefit of "Single Sign-On" (SSO ) — login once, roam anywhere. Not only does this reduce the burden of creating and remembering a different passwords (you don’t use the same password at different sites, right? ) down to dealing with a single password, it keeps all the other sites out of the loop regarding your password. They never have access to your password.
That’s a powerful enhancement to the web experience for many users, being able to collapse dozens of passwords down to just one. Now, with the introduction of JanRain’s client certificate feature at myopenid.com, users who want to can choose the "zero password" option for managing their login.
The client certificate feature of myopenid.com utilizes the built-in key-generation and X509 certificate provisioning functions of your browser. When you choose this option for logging in to myopenid.com, you present the client certificate in lieu of your password, and this certificate, which is stored in the browser, makes logging in a breeze. I’ve been using it for a while now, and while I’m quite happy with the basic improvements of SSO and just managing a single password, the client certificate makes logging in to myopenid so quick and easy that I’m able to adopt a stricter, stronger login policy (make me log in to my openid.com every time I authenticate to an external website, for example ) without it becoming a headache.
That’s worth thinking about before you decide to use client certificates. When you are away from your machine, your password goes with you (or at least that’s how it’s supposed to work ); anyone trying anything fishy on your machine should not be trivially able to pose as you when supplying credentials to myopenid.com or any other service. However, my experience with friends and family suggests that it’s quite common to use the "auto-fill password" features of the browser, which presents a similar problem to client certificates: someone who gets hold of your machine can effectively be you, since your browser will automatically fill in your stored credentials at login time.
There isn’t a right or wrong answer here. There’s always a trade-off between risk and convenience; the important part is making sure people are able to make an informed decision about the inevitable trade-offs. Using client certificates provides an improvement in convenience, but does bring with it the risks of having someone easily be you in the online sense if they have access to your computer. As long as the benefits and risks are clearly in view, users are empowered to choose according to their own priorities and constraints.
Managing identities is a central concern of every enterprise. Almost all businesses have employee…
From the barista who knows exactly how sweet you like your daily nonfat, caramel macchiato to the…
Recognizing your brand’s need for a customer identity and access management platform is an…