Northwestern and OpenID
Background
Just over a year ago I discovered a vulnerability in Northwestern University's centralized authentication system. It would have allowed an attacker to steal a person's username and password, if the attacker could get the victim to authenticate using a specially-crafted URL. I probed and saw other details about the system that raised my hackles.
Idea
Thinking back on the authentication system's design, I have realized that Northwestern could easily push forward into the 21st century by implementing the system using OpenID. All Northwestern users would then be able to authenticate anywhere on the internet (that is, anywhere that supports OpenID) using a Northwestern URL such as http://id.northwestern.edu/kurtmckee.
About OpenID
OpenID is an authentication system that doesn't require me to give a site my username and password in order to log in. Let's see how this works in practice. For this example, http://id.northwestern.edu/kurtmckee is my OpenID URL, the OpenID service is called IDea, and I'm wanting to authenticate at a brand new Northwestern service called Hostel.
- I visit Hostel and tell the site that my OpenID URL is
http://id.northwestern.edu/kurtmckee. This is the only information that I provide to Hostel in order to log in! - Hostel redirects me to
id.northwestern.edu/kurtmckeeand includes information that lets IDea know how to tell Hostel whether I've authenticated at IDea or not. - I give IDea my username and password. If my username and password are correct, IDea redirects me back to Hostel and informs Hostel that I logged in correctly. Hostel then treats me as a logged in user.
About Northwestern University
Northwestern is a Big 10 school with thousands of users. Although OpenID does not deal with identity, Northwestern is in the unique position to link authentication with identity. Further, it has the ability to give its users the immediate benefit of an OpenID URL that can be used all over the internet.
I hope Northwestern takes the ball and runs with it; this would be an incredible step towards giving its users true value.
4 comments:
So... from what I've read, basically the point of having an OpenID is so you only have one username and password to remember? Or am I completely missing something?
OpenID associates a URL with you which you then turn around and give to other sites. Zooomr uses OpenID, for instance.
The point is that, instead of Zooomr checking some arbitrary username and password, it lets some other site check your username and password (which Zooomr is never informed of).
So, it's basically decentralized authentication that you're in control of. The site software that I'm writing will use OpenID exclusively, for instance. You can see OpenID in action over at YouTube; just search for "openid".
I may just be missing something, but what is to stop, say, /me/ from using /your/ URL? It sounds like a pretty good system, even when you explained it over the phone, but I was reeaaally sleepy that night and ended up missing out on most of the conversation, even though I asked about it again right after you explained it... I still missed it. Third time is a charm?
Sure you can use my URL! ...except that when you get redirected to my site to prove that you are in control of that URL, you won't have my username and password at my site. Why don't you watch some videos, and search for articles about OpenID that are written by Simon Willison; those should clear up most of your questions.
Post a Comment