A Simpler Approach to Online Identity
A new service, backed by Google, lets you log in to any site using one Web account.
Many people struggle to remember scores of passwords for different websites. They often have to reset an account or dig through years of e-mail to find stored log-in information. A common trick is to use the same password for lots of accounts, but this can be a security risk, potentially allowing many accounts to be hijacked at once.
Even as identity becomes increasingly important online, it is becoming more fragmented, with users signing up for ever more websites and services. Account Chooser, a new service launched by the OpenID Foundation, an organization that includes the major websites Google, Facebook, Microsoft, and Yahoo, is the latest effort to solve this problem. Instead of having to create yet another account, Account Chooser lets users choose one account—their Gmail or Facebook log-in, for example—and then use it to log in to many other sites. The technology was developed by Eric Sachs, a Google project manager and OpenID Foundation board member. Google is backing the project by hosting the code.
Account Chooser is far from the first effort to create a single account that can be used on lots of websites. But previous endeavors, including the one launched by OpenID, have proven complicated to use. Previously, users had to create an OpenID account, and then manually link it with all of his or her other accounts, which meant figuring out which sites would accept the consolidated account as verification. A number of companies, including ClaimID and Verisign, are trying to tackle the issue with their own unified account technology, but they have so far seen limited acceptance from users and websites.
Chris Messina, developer advocate at Google, says OpenID is trying to create a system that users can easily understand, and companies can easily support. “The lack of a novice-friendly solution to authentication on the Web is one of the OpenID Foundation’s greatest opportunities,” he says.
Account Chooser lets users select any account managed by a company that has chosen to support Account Chooser, and then link that account to whichever websites they choose. It has already been implemented as the log-in page at Flickr, which now lets users access the site using not only a Yahoo account (Yahoo is Flickr’s parent company), but also a Facebook or Gmail account.
Kaliya Hamlin, an independent industry expert who is a founder of the Internet Identity Workshop, feels that identity consolidation is very important. “This should be an aspect that most people shouldn’t have to be aware of. It should just work,” she says. Hamlin believes that the Account Chooser system is the clearest way for users to understand and control how their identities are being verified.
Don Thibeau, executive director of the OpenID Foundation, says the code behind Account Chooser was released under an open source license (meaning it can be reused and modified without charge) so that Web developers can implement it more easily, and can offer users a free choice of identity provider to use with the system. Account Chooser will also support a variety of standards used for identity verification, such as OAuth, SAML, and OpenIDConnect.
Mozilla, which makes the popular Firefox Web browser, has a developed a similar approach, with a system called BrowserID. After verifying that a user owns an e-mail address, BrowserID downloads a browser add-on that can be used to identify the user to sites that support the system. Ben Adida, technical lead for identity at Mozilla, says this is more secure than Account Chooser because information flows through the user’s browser, and because it “limits the flow of information to what is strictly necessary to let users log in.”
However, both Account Chooser and BrowserID need to be widely adopted by website owners and companies in order to reach a broad audience of users. Sachs hopes that Account Chooser’s connection with Google (which is hosting the open-sourced code through the Google Identity Toolkit) will inspire other companies to join in. The full list of participants has not yet been released, but Sachs says that, besides Google, it includes companies such as Microsoft and Wordpress, and ranges from big names to small startups.
Account Chooser will be officially announced, along with more details, at the upcoming OpenID Connect Tech Summit, which starts on September 12 at Microsoft’s Research Campus in Mountain View, California. Sachs says that “many vendors will be announcing their participation in the project over the course of the summit.”
Google has set up a demo of Account Chooser here.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today