Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?
The rationale behind the limited introduction is that health is sensitive, so access should be limited to the few, most trusted OpenID providers. It certainly makes sense, but it also serves to underscore one of the problems inherent to OpenID: security.
The text-based passwords found scattered across the web simply aren’t very good for protection. We’ve heard countless tales of hacked or phished passwords leading to identity theft – what happens when a user’s entire web presence (including financial and health data) is tied to a single password? It’s a recipe for disaster.
To remedy the issue, a number of companies have come up with different ways to improve security. Trustbearer requires users to provide a physical ID “token” to verify their identity (users can order a $40 USB stick if they don’t already have one of the acceptable ID cards). Vidoop offers a free browser-based image authentication system that uses advertising to generate revenue. And so on.
With every new security measure comes a new, subjective, stratification of the system. The promise of OpenID is a platform that “eliminates the need for multiple usernames across different websites, simplifying your online experience.” But by only accepting “secure” OpenID providers, Microsoft has demonstated that this system is by no means unified in its current form. Soon users will need to remember their “secure” OpenID, along with their “normal” credentials. And what happens when another provider comes along with an “uber-secure” ID, forcing users to remember yet another login?
There are a number of companies besides Microsoft that could be criticized for their slow or poor implementation of OpenID – Google, which has become an OpenID provider through its Blogger property, has yet to implement the platform on any of its flagship services. But it seems that the platform itself may be even more deserving of scrutiny. What good is a unified login when its default form will only be accepted on the least private and secure sites?