Privacy matters: Web of identity

(Part 4 of this Telephony special report. Click here for the other parts.)

Internet players may have at last cracked the identity code by giving users better control over their own profiles, data and relationships. Where do service providers fit in this vision?

On the Internet, nobody knows you're a dog.

That famous catchphrase, accompanying a 1993 New Yorker cartoon, could soon go by the wayside thanks to the growing influence and real-world adoption of an alphabet-soup of would-be formats and standards that promise to move the Web from an anonymous environment to a place where users can actively manage and share their identities, content and activity with one another and the Web sites they choose.

A key milestone occurred earlier this month when some of the Web's largest players — including Google, IBM, Microsoft and Yahoo! — joined the board of the OpenID Foundation, a group that is pushing a standardized format for enabling managed user identities and universal single sign-on for the Web. Already, 10,000 sites support OpenID log-ins encompassing more than 350 million OpenID-enabled identities, numbers sure to grow as the new board members add OpenID capabilities to their sites.

With its new backing and growing momentum, OpenID has moved from interesting concept to a widely supported effort that could deliver the digital identity Holy Grail — a flexible, federated management platform enabling single-sign-on capability and managed user identity across the Web.
OpenID starts with basic password management and support for single sign-on for multiple Web sites, a capability that many past high-profile efforts — including Microsoft Passport and the Liberty Alliance — have failed to deliver. But OpenID also includes the ability to append user information to that basic identity via built-in attribute fields as well as developer-definable extensions, making it not only a password manager but also a key component for the management and sharing of rich user identities online.

“As a baseline, OpenID provides user-driven, universal single sign-on. That's very powerful,” said Gary Krall, development lead in the innovation group for security vendor VeriSign, an OpenID board member company. VeriSign is acting as an OpenID provider — adding a second-factor token-based authentication layer — and also aims to deliver security services to other OpenID providers.

“It's not the entire solution, but OpenID is a fundamental building block that's going to allow something that the Internet thus far has not seen by introducing the concepts of identity and trust,” said Bill Washburn, executive director of the OpenID Foundation.

(continued on next page)