Monday, February 8, 2010

OpenID, a disturbed authentication

You can read about OpenID and how it works here

Though OpenID is marketed and used as a distributed authentication system, there are very few players and these are the big ones - AOL, Google, Yahoo, Facebook, etc.  There is one thing common among them - they all portals relying on advertising revenue as their business model.  The business model relies on getting as much information about the user as possible.

Lets check this scenario out:
A corp relies on a OpenID provider to authenticate users.  So, when the user tries to access an application, the application checks if the user is authenticated and if not, he/she is redirected to the OpenID provider for authentication.  Once the OpenID provider performs the login ceremony and successfully authenticates the user, the user is redirected to his application for access.  Similarly, when the user logsoff, the OpenID provider is notified.
Here the OpenID provider is keeping track of user login/logoff events - time stamps, application access, location of access, role of users for various applications, change in user population on the corp side and so on.  This kind of information is a gold mine for providers relying on ad revenue.  The provider is also able to track user movement among corporations, corporation's user and application movement.  Role management is also a issue - how are policies applied on users and application and where are they applied - on the OpenID provider or on corporate side?  Both of these methods have impact - if it is on corp side - it will be a performance impact, but, if it is on the OpenID provider side, then we have information disclosure issue.

It would be good to understand what corporations are thinking about using OpenID.

No comments:

Post a Comment