Identity standards aren’t sexy. Biometrics, encryption apps and systems that enable high-assurance authentication get much of the attention but standards that make all these technologies work across the Internet are a necessity.
OpenID is one of these underlying technologies and the latest version of the standard – OpenID Connect – has been ratified as an official standard by the OpenID Foundation members. Internet and mobile companies have implemented OpenID Connect worldwide, including Google, Microsoft, Deutsche Telekom, Salesforce, Ping Identity, Nomura Research Institute, mobile network operators, and other companies and organizations. The standard will be built into commercial products and implemented in open-source libraries for global deployments.
The team that has helped create OpenID Connect is one composed of rivals. Google, Microsoft and others, all competitors working to try and solve the digital identity problem, says Don Thibeau, executive director of the OpenID Foundation. The mobile operators are also on board with the GSMA and its 650 mobile network operators endorsing OpenID Connect.
The basic idea behind the standard is one interoperability. “Interoperability is at the heart of a more secure, privacy protecting, user centric Internet,” Thibeau says.
How it works
From the consumer perspective, OpenID Connect may not look much different than other federated identity systems. “If you have an account that supports OpenID Connect it can be used to sign you in to other places,” says Mike Jones, director of Identity Partnerships at Microsoft.
A consumer would login to an identity provider – social networking, e-commerce or other type of site that uses OpenID Connect – and then be able to use that identity elsewhere. But before giving up any personal information to the other site OpenID Connect makes sure the consumer knows what information they are giving up. “The identity provider knows that you’re being asked to give up certain information to the relying party and it will ask if you’re ok, similar to installing a new app,” Jones explains.
At its core OpenID Connect is designed to exchange identity messages over a range of use cases, Jones says. Sitting at a workstation, using a mobile device, accessing information from the cloud or a secure network, Open ID connect will work the same way.
The standard is also focused on privacy. While it can be used for access to multiple sites, the same identifier isn’t used across all the sites, Jones says. “If I’m logging into a site it might know me as a certain number but at another site I will be another number,” Jones explains.
The spec can also scale across assurance levels, enabling different levels of assurance depending on the site, Jones says.
Despite just being ratified, OpenID Connect has been in use for some time. Google has OpenID Connect embedded into Android, says Tim Bray, former Google identity guru and co-founder of the XML specification. “On Android we have built in an API so than an app can make an inquiry and get an identity token,” he explains. “It sends it to the backend system as a way to say ‘yes,’ this message was sent form someone with an identity.”
All of this can be done on a mobile device without a user having to keep reentering user names and passwords. “OpenID Connect gives you easy access to use cryptographic assertions that say this person was authenticated and wanted to share that information with the app,” Bray says. “Once the app has that assertion you can do anything with it.”
While Google has deployed OpenID Connect on Android, Deutsche Telekom is rolling it out for its Internet subscribers, says Torsten Lodderstedt, senior product owner for identity management at Deutsche Telekom. Germany’s second largest email provider wants to be an identity provider and is using OpenID Connect as the backbone.
Deutsche Telekom introduced OpenID Connect in mid-2013 and integrated it with PATH, a social networking site. The telecom giant is also working to enable customers the ability to use the Deutsche Telekom ID on other sites as well.
The Massachusetts Institute of Technology had also rolled out OpenID Connect and is exploring many potential uses of the standard. The school has a long history with authentication technology having developed the Kerberos protocol in the 1980s that was the engine for Microsoft Windows 2000, says Thomas Hardjono, technical lead and executive director at MIT’s Kerberos Consortium.
The consortium was originally founded to do upkeep on the Kerberos code but had since refocused to look at personal data and emerging standards in identity management. It was there that OpenID Connect caught the eye of the consortium.
The school started testing the standard and plans to roll it out for use on the school’s mobile app, Hardjono says. “We want to use OpenID Connect as the authentication mechanism for these non-critical app,” he says.
The MIT app enables students to access several different services at the school. These services aren’t necessary the most secure but still require a credential to access, for example information about laundry machine availability, student dining and other data sources, Hardjono says.
Long term, MIT wants to use the system with single sign-on and federation for access to services outside of the school, Hardjono explains. At first it might be something as simple as enabling transcripts to be sent to an employer but eventually it might be more. “The MIT email address stays with them for life,” he says. “A bigger version of it might be for MIT to become an ID provider.”
OpenID 2.0 – the previous version before Connect – was widely used as well, but Connect is more developer friendly, Bray says. “There was some pain around interoperability,” he says. Connect, then, is designed to be easier to work with for web developers.
Deutsche Telekom has had an easier time integrating apps with OpenID Connect than OpenID 2.0. “It supports all integrations from Oauth that wasn’t possible before,” Lodderstedt says. OAuth 2.0 defines consistent, flexible authentication, authorization and policy architecture for Web servers, mobile applications and devices attempting to communicate with Cloud APIs.
OpenID Connect builds on the foundation of open identity and security standards like OAuth 2.0 and TLS – also known as SSL or “https.” As a result, it has the advantage of being easier for developers to implement and deploy than other identity protocols, enabling simpler deployments without sacrificing security.