Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A Simpler Approach to Online Identity

A new service, backed by Google, lets you log in to any site using one Web account.

Many people struggle to remember scores of passwords for different websites. They often have to reset an account or dig through years of e-mail to find stored log-in information. A common trick is to use the same password for lots of accounts, but this can be a security risk, potentially allowing many accounts to be hijacked at once.

Even as identity becomes increasingly important online, it is becoming more fragmented, with users signing up for ever more websites and services. Account Chooser, a new service launched by the OpenID Foundation, an organization that includes the major websites Google, Facebook, Microsoft, and Yahoo, is the latest effort to solve this problem. Instead of having to create yet another account, Account Chooser lets users choose one account—their Gmail or Facebook log-in, for example—and then use it to log in to many other sites. The technology was developed by Eric Sachs, a Google project manager and OpenID Foundation board member. Google is backing the project by hosting the code.

Easy in: Account Chooser is an effort to make it easier for users to consolidate their log-in information using a single account.

Account Chooser is far from the first effort to create a single account that can be used on lots of websites. But previous endeavors, including the one launched by OpenID, have proven complicated to use. Previously, users had to create an OpenID account, and then manually link it with all of his or her other accounts, which meant figuring out which sites would accept the consolidated account as verification. A number of companies, including ClaimID and Verisign, are trying to tackle the issue with their own unified account technology, but they have so far seen limited acceptance from users and websites.

Chris Messina, developer advocate at Google, says OpenID is trying to create a system that users can easily understand, and companies can easily support. “The lack of a novice-friendly solution to authentication on the Web is one of the OpenID Foundation’s greatest opportunities,” he says.

Account Chooser lets users select any account managed by a company that has chosen to support Account Chooser, and then link that account to whichever websites they choose. It has already been implemented as the log-in page at Flickr, which now lets users access the site using not only a Yahoo account (Yahoo is Flickr’s parent company), but also a Facebook or Gmail account.

Kaliya Hamlin, an independent industry expert who is a founder of the Internet Identity Workshop, feels that identity consolidation is very important. “This should be an aspect that most people shouldn’t have to be aware of. It should just work,” she says. Hamlin believes that the Account Chooser system is the clearest way for users to understand and control how their identities are being verified.

Don Thibeau, executive director of the OpenID Foundation, says the code behind Account Chooser was released under an open source license (meaning it can be reused and modified without charge) so that Web developers can implement it more easily, and can offer users a free choice of identity provider to use with the system. Account Chooser will also support a variety of standards used for identity verification, such as OAuth, SAML, and OpenIDConnect.

Mozilla, which makes the popular Firefox Web browser, has a developed a similar approach, with a system called BrowserID. After verifying that a user owns an e-mail address, BrowserID downloads a browser add-on that can be used to identify the user to sites that support the system. Ben Adida, technical lead for identity at Mozilla, says this is more secure than Account Chooser because information flows through the user’s browser, and because it “limits the flow of information to what is strictly necessary to let users log in.” 

However, both Account Chooser and BrowserID need to be widely adopted by website owners and companies in order to reach a broad audience of users. Sachs hopes that Account Chooser’s connection with Google (which is hosting the open-sourced code through the Google Identity Toolkit) will inspire other companies to join in. The full list of participants has not yet been released, but Sachs says that, besides Google, it includes companies such as Microsoft and Wordpress, and ranges from big names to small startups.

Account Chooser will be officially announced, along with more details, at the upcoming OpenID Connect Tech Summit, which starts on September 12 at Microsoft’s Research Campus in Mountain View, California. Sachs says that “many vendors will be announcing their participation in the project over the course of the summit.”

Google has set up a demo of Account Chooser here.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.