Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?
The rationale behind the limited introduction is that health is sensitive, so access should be limited to the few, most trusted OpenID providers. It certainly makes sense, but it also serves to underscore one of the problems inherent to OpenID: security.
The text-based passwords found scattered across the web simply aren’t very good for protection. We’ve heard countless tales of hacked or phished passwords leading to identity theft - what happens when a user’s entire web presence (including financial and health data) is tied to a single password? It’s a recipe for disaster.
To remedy the issue, a number of companies have come up with different ways to improve security. Trustbearer requires users to provide a physical ID “token” to verify their identity (users can order a $40 USB stick if they don’t already have one of the acceptable ID cards). Vidoop offers a free browser-based image authentication system that uses advertising to generate revenue. And so on.
With every new security measure comes a new, subjective, stratification of the system. The promise of OpenID is a platform that “eliminates the need for multiple usernames across different websites, simplifying your online experience.” But by only accepting “secure” OpenID providers, Microsoft has demonstated that this system is by no means unified in its current form. Soon users will need to remember their “secure” OpenID, along with their “normal” credentials. And what happens when another provider comes along with an “uber-secure” ID, forcing users to remember yet another login?
There are a number of companies besides Microsoft that could be criticized for their slow or poor implementation of OpenID - Google, which has become an OpenID provider through its Blogger property, has yet to implement the platform on any of its flagship services. But it seems that the platform itself may be even more deserving of scrutiny. What good is a unified login when its default form will only be accepted on the least private and secure sites?
Aliens have abducted Jerry Yang. Hear more tonight on Coast-to-Coast.
Who wants to invest in a new Thawte for OpenIDs and racket up some space cash? I still have some cash to invest in such a project.
Is there anybody doing a neo-thawte for openID?
This is going to turn OpenID into Certificate Authority 2.0
Does anybody have investment tips on new players that are riding in like Thawte did way back when?
That’s like the only investment I would consider a sure thing.
I thought OpenID was for leaving comments on blogs and stuff. Do I really want to trust my complete medical history to my Livejournal login?!?
Blogger also accepts OpenID logins when commenting on blogs beyond acting as an OpenID Provider.
What I think this really shows is that Microsoft believes OpenID can be made secure enough to access health records if OpenID Providers take the appropriate measures. OpenID certainly has come a long way from where it started and if it helps to reduce the use of passwords online then that is a great thing!
lol….openid in the place will want their data to be not so open
lol….openid in the place people will want their data to be not so open
sorry about the double comment…i forgot people
Oh man, that’s the best non-accepting announcement ever. I don’t like the idea of OpenID in the first place — I’d rather only myself and the third-party I’m engaged with were the only two privy to my details — and this announcement just takes the cake. If it doesn’t have universality, what does it have?
Besides which, when some breech happens down the line where users are enticed into entering their passwords into some totally bogus website because they don’t have that basic domainpassword link in their head anymore, will OpenID be responsible? I know the username and password are supposed ot be typed in separately, but I think it’s just one more vulnerability when we’ve only finally begun to get it that you don’t enter you name and password except when you’re sure you’re on the website you intend.
I’m happy with having control of separate logins and passwords, and I hope it stays that way until something truly better comes. For now, I’m not going to support something jsut because the name starts with ‘Open’.
My opinion only– but Down With OpenID!
morgan - spoofing the login page of an openid provider is a problem, but its been a problem since the start of https. the solution to spoofing any https site, invented long before openid, are client-side certificates. myopenid.com for example supports the use of client-side certs so you know you’re talking to your provider.
Microsoft’s acquisition (barely noted in the blogosphere) of Credentica is the way it should be done. That’s serious shit.
Just like Morgan says above, “I’d rather only myself and the third-party I’m engaged with were the only two privy to my details ” and that is key.
Cardspace failed b/c it didn’t work like this, so will the announcement of w/e oracle, google, et al that was announced today. Same with OATH, and the others.
Obviously a username and password are not secure. But most people are lazy and they don’t like having to carry around a token or remember some stupid picture.
The only hope is to do two factor authentication when a person is away from their home or office computer, and do it in a way that is easy (ie: one time code via telephone). There are a number of providers doing this, one of popular ones being TeleSign
The OpenID provider MyOpenID supports CallVerifID. Two-factor authentication using your mobile phone. It works great! It is free and fully optional. It is up to the user to decide how secure his/her OpenID should be.
Just to be clear, we’re quite optimistic about the future of OpenID… it is great that the platform is evolving both within the standard (e.g., through PAPE) and on top of it (e.g., with second factors such as information cards and OTP devices). More detail about our thoughts around identity choice at HealthVault are on my blog here: http://blogs.msdn.com/familyhe.....vault.aspx.
The “Open” in OpenID means that consumers can make their own policy decisions around how and where they use it; this is a great example of that openness in action and Microsoft should be applauded for it. I’ve written more about this on my blog: http://simonwillison.net/2008/Jun/24/openid/
I’m curious why they didn’t whitelist myopenid.net, since it’s run by JanRain who…if anyone… should be quite secure. Makes me think there’s more to Microsoft’s move than meets the eye.
This article displays a complete lack of understanding of the OpenID platform and it’s potential.
Yes there are possible security concerns, but as Simon said one of the beauties of the Platform is that you are able to choose your own security level and features from the provider. Using the Vidoop system, for example, requires a combination of browser verification, text/call ahead, and varying images to complete prevent any security concerns that may arise.
The problems that OpenID face aren’t security concerns, this is just an example of Microsoft being Microsoft, and doing anything but being open. Rather the issue is still with usability on the end user perspective.
“What good is a unified login when its default form will only be accepted on the least private and secure sites?”
I’ll tell you what good it is. For every social network, blog, news service, or any other service where security isn’t a major issue, OpenID provides you with one login and one password. If you can’t see the value in that, maybe you shouldn’t be writing articles on web technology.
I follow the link to healthvault.com, but I see no OpenID login there, only Windows LiveID. What gives?
I’d like to see Bill Gates and Steve Ballmer volunteer to be the first to put all their health and personal data into a Microsoft website.
Only 17 comments before an unprovoked ad hominem attacks, nice one Carlton.
Security is always important. Sure, health data is more important than your social network. But security is a major issue for any application storing user data. If you can’t see the importance in that, maybe you shouldn’t be writing articles on web technology. (see what i did there?)
I want to believe in OpenID, but the project is still subject to the whims of the companies issueing and accepting the system. So until it’s dead simple to use, makes sense in a much clearer way (as in, who do I know takes this, why oh why is like having a Discover card when most places take Visa?), then this project is going to go nowhere fast.
The idea is really simple, provide a simple, but effective authentication point for users to use a multitude of services. I’m not going to purchase $40 flash drive to do that. There has to be a btter way, though I imagine that better way will also have to be able to track users through a system. Security becomes a major concern, but no matter how much security we have, someone can always break it. there needs to be a balance between ease of use and security and there will still be a human factor involved to help track down thieves.
Maybe this is why logins on larger sites like Google, Yahoo, and MSN are great for network wide logins, but getting them to play nice with each other is just going to be a pain in the but. Fragmenting the data makes it harder to track.
hmmm… interesting article and comments.
I work for Vidoop and we run a OpenID provider http://myVidoop.com which is resistant to all the forms of hacking that @Morgan and others mention. An OpenID account with a provider that has a two factor authentication system like Vidoop, Verisign, etc. is far more secure than a plain username/password.
@Eric Nelson +1
@Pandrogas We completely agree, where there is a will there is usually a way. We believe that the ImageShield which powers myVidoop is a good compromise. It gives you easy to use, solid, and reliable two factor authentication, without the need for any extra software or hardware to install.
+1 for David Recordon and Simon Willison. This is a great development for OpenID and consumers. Medical information is sensitive stuff so its important that the right balance between convenience, privacy, and security is made. At least 3 stakeholders requirements need to be addressed - the consumer, the content provider, and the technology infrastructure provider. Its not always obvious how to balance those needs. Microsoft is taking a proactive stance to show that the OpenID platform can address those needs. No doubt HealthVault will evolve over time to incorporate more OpenID providers and security options.
As Devon Young and Berry point out, myOpenID does provide a range of security features including InfoCard and SSL certificate authentication, CallVerifID 2-factor phone-based authentication, and anti-phishing site verification images. Hopefully, over time, HealthVault will begin to accept more OpenID providers that meet their security requirements.
As Microsoft and others continue rolling out more OpenID-enabled services, and as OpenID providers expand their capabilities, the ecosystem will grow and evolve in ways that benefit all the stakeholders.