Guest post by Peter Pawan EJ from Kochi, Kerala.
How much time do spend every time you get online, just to sign in to all the web services that you use? Back in the days of yore when I was so bankrupt (and stupid) to connect my system to the internet through a GPRS connection via Bluetooth (a complicated setup that functions marginally faster than dial-up), it used to take me about half an hour to sign in to all of the services.I had to pull up and log into Gmail, Yahoo! Mail, Reddit, Digg, WordPress.com, and of course Facebook one by one. It was frustrating and it was a necessary evil. All in the name of security. Me, being unsatisfied as usual with the state of the art, decided that something had to be done.
And one day, i threw all caution to wind and did the inevitable. I checked “Keep me logged in for two weeks unless I log out” on yahoo. I checked remember me on all the log-in boxes. I allowed Firefox to remember my passwords. I sacrificed security for the sake of convenience. I saw a significant gain in efficiency and it was all good till last week when a visiting friend decided to check her mailbox while I was out fetching the drinks. Guess where she landed up? Yep! In MY mailbox, no passwords asked, and straight she goes to the draft folder and finds the email that I typed up but decided not to send her (for obvious reasons).
That incident got me thinking, among other more drastic measures of damage reduction, of ways to log into services more efficiently. If one Google log in would suffice for all Google services, and if yahoo will similarly log me into all yahoo services when I log into any given yahoo service once… maybe all these corporate giants could decide on one common service that would authenticate a user once and for all. Obviously, I am not the first person to get this brainwave. In fact, there are services in existence that would do exactly this.
Meet Microsoft .NET Passport, a huge mistake from the granddaddy of BSODs that everyone could learn from. What Microsoft did was pretty much the same as what Google and Yahoo did. Every user who had a Hotmail or MSN ID was informed (with much gaiety and exaltation, might I add) that he is now the proud owner of a brand new .NET passport – which is, his email ID itself. He could log into any of the Microsoft services using the same ID. He can also associate his .NET passport to his windows log in, so he would get logged in automatically when he logged into windows. So far so good, here is the great news. He can also use this ID to log into a lot of other allied web sites. If everything works perfectly, a user can log into his windows user ID and find that he is automatically logged into all the web services that he uses.
Of course, nothing is perfect. All that gaiety and exaltation looked pretty pointless after the users discovered that there were few non-Microsoft websites that supported the .NET passport. Apparently, no webmaster wanted to trust Microsoft with its user authentication process or the storage of personal user information. Well, .NET passport made a half-assed comeback with a new name (Windows Live ID) and image, but,… In a feeble attempt at putting a leash on my Microsoft bashing pen, I will now cut abruptly to the final solution.
OpenID is not an implementation. It is a set of standards that define how it should be implemented. Anybody can implement an OpenID server and allow people to create open IDs. Anyone can create an OpenID for free. And any website can use OpenID to authenticate anybody. The main difference between OpenID and .NET passport is that the user gets to chose where to register and store his OpenID and that its free and open source.
OpenID is not the final solution by proof as of yet. It has hope, and lots of it. Read about it in our yesterday’s post OpenID & Blogger Commenting.