Authentication -- about openid

Note: This is the old text written on February 26, November. It has not been sent in csdn. Please resend it.

I heard that there is a topic about openid at this year's annual online computing conference. The issue of website identity authentication is not a new topic. It has started since the launch of the popular passport in ms. Even openid came out for a while.

However, I started to understand this technology after reading the previous section of Zola's vigorous promotion of openid. Although openid has its own great advantages, there are also some insurmountable difficulties.

First, the current authentication methods are simply divided into three types:

1. Integration verification. This is the method used by most websites. to access this website, you must register a user on this website and log on as the user.

2. Third-party verification. For example, Ms passport. The website provided by the Service does not record the user's identity, but submits a request to a third party (such as MS) to authenticate the user's identity.

3,
Distributed verification. Taking openid as an example, it is difficult to verify the process: the user uses a URL as the identity. The page pointed to by this URL contains the authentication server selected by the user.
(Yadis). When a user logs on to the Service to provide a website using this URL, the website obtains the yadis information from this URL and then switches to the yadis website. The user enters the password on the yadis website
After confirming the identity, the website is provided to the original service.

The advantage of the first type of verification is that it is simple and convenient, and the website can exclusively occupy user resources. But the disadvantages are also obvious:
It is not easy for users to remember their usernames and passwords on each website-they have to change their usernames because of repeated user names, or users who are not at ease with the website
Materials Management and use different passwords on different websites.

The second type of verification provides a unified verification channel, which is much more convenient for users. In addition, large companies such as MS provide verification services.
It is more secure. However, websites may lose their own user resources, especially when these websites are more likely to compete with Ms. Another potential risk is:
This third-party verification failure (such as GFW) will also be affected.

As a result, openid was born. You can select the yadis server to record your identity information.
Information, conditional users can even establish one by themselves, avoiding the risk of failure of third-party centralized verification. In addition, the distribution verification mechanism avoids the monopoly of large companies and may feel better for websites. And
For users, they can use their own unique URLs wherever they are. There is no problem where the user name is occupied.

Does openid seem to be the best solution?

But I think it looks pretty.

First of all, from the perspective of ease of use, the URL is usually too long, unless the user has his own domain name, otherwise the use of blog or personal homepage is usually too long. After entering the URL, you also need to go to yadis and enter the password (of course, the website can also be completed in one step and verified from the website to yadis, but there is a risk, see secure payment). this is also troublesome.

Second, the first type of verification can be completed on the website, without unnecessary round-trip, and the response speed is the fastest; the second type needs to go to the third-party verification site to turn around, it will be a little slower; openid needs to go to the user URL and yadis, and the response speed is the slowest.

The
3. Most users cannot establish their own yadis. Therefore, the result should be handed over to a third-party yadis for verification, or the concentration similar to the second type is inevitable. A considerable number of users
Even the blog and personal homepage do not exist, so you have to register on a website such as myopenid to obtain a dedicated URL for openid. The result is similar to the second type of verification.
No.

Fourth, in terms of security, the yadis used by openid can be selected by the user, and the yadis security may vary greatly, so the user's data security risk is still relatively high.

The
5. Poor reliability. On the surface, openid distributes the verification process to many yadis instances, which seems to be safe, but in fact, unless the user can perform a fault-tolerant backup of yadis on the URL page
(There are several links to yadis on the page. This is just my idea. As to whether openid supports this, I have not found any further information.) Otherwise, once the user chooses yadis
Then the user cannot use it normally. The biggest risk is that the user URL page may be invalid.

From the risk of verification failure:

If the first type of verification fails, it means that the website cannot be accessed and does not affect the user's access to other websites. If the website reliability is n (n is less than 1, such as 99%), the total reliability is N.

If the second type of verification fails, all access requests dependent on this verification will fail, but for a website, the total reliability is N * a (A is to verify the reliability of the website, such as 99.99%), which is less reliable than the first type. Of course, because such verification websites are provided by large companies, the reliability is usually very high, so the difference with the first type of reliability can be ignored.

While
For openid, access between user URL and yadis cannot be performed if one of them is invalid. For a single website, the total reliability is N * u * Y (U and Y points
Is not the reliability of the user URL page and yadis). If the mblogger page is used as the URL, it is assumed that the reliability is 80%, and the yadis reliability is 95%,
The total reliability will be greatly reduced to: 76%. Of course, this is an extreme example. I don't think anyone will use an unreliable page like mblogger as their own openid.
URL, and the general yadis reliability should not be so low (but still not as good as the passport of MS ).

However, in general, the failure risk of openid is much higher than that of the first two types of verification.

Basically, in my opinion, openid solves the shortcomings of the first two types of authentication methods, but also brings a lot of problems.

Appendix
Note: I thought Google
Account is a third-party verification method similar to passport, but after a few days of research, it found that it only provides the account access function for some Google services
This is a pity to provide the user authentication service. Otherwise, Google account should be a better choice than openid.