OpenID Connect may usher in a new era of federated online identity

OpenID Connect is designed to replace username/password authentication. The protocol, in use by Google and others, may solve governments' needs to authenticate users accessing digital services.

Image: OpenID Connect

Identity is complicated, defined both by our social facts and personal choices. Identity may be that which makes us individual or unique, or signals that we belong to a certain group or community. Our identity speaks to who we are and how others may recognize us using our faces, eyes, fingerprints, handwriting, genes, voices, or even thought patterns. We see ourselves one way, while the outside world may have another impression entirely.

Online and off, identity may be obscured or authenticated, as people may seek, steal, and claim a dizzying range of identities across places and time. Some people may seek anonymity or persistent pseudonymity, seeking to evade censorship, repression, or prosecution, depending upon the states they live within. Others may claim public namespaces on Google, Facebook, Twitter, or other social networks that then enable them to identify themselves to other services. People who work with sensitive data or proprietary information in industry or government may use cards, tokens, and biometric scanners to verify their identity before they can access secure networks or areas.

"We all want digital identity to work," said Mike Jones, a standards architect at Microsoft who edited several OAuth 2.0 and JOSE specs at the Internet Engineering Task Force and is a board member at the OpenID Foundation.

"Identity is really interesting, because it's impossible for any one company to solve, by definition," he said, in an interview. "The reason I say that is that if I'm going to solve a digital identity problem for normal people — trying for usernames and passwords — if it only worked at Google or Microsoft or Facebook, it wouldn't solve it. Any real solution must come from a lot of places where people go to hang out online."

In between the extremes of absolute anonymity and certainty are billions of people who need simple, effective, trustworthy ways to identify themselves to use email, vote, travel across borders, go to the bank, purchase regulated products, drive motor vehicles, or establish rights to property, from copyrighted works to land.

Being able to prove that we are who we say we are matters, and we choose a wide range of ways to prove it to one another, with varying levels of certainty, depending upon how important it is that the parties know one another.

Banks might use a Social Security number and photo ID for a withdrawal but consult the Internal Revenue Service for income verification for a mortgage. When consumers conduct transactions with non-government entities, they may use membership cards in concert with credit cards, with more significant transactions leading to a credit check for a given identity at bureaus and data brokers. Online, hundreds of millions of people now use identities connected to credit accounts to buy goods or services through Apple, Amazon, Google, and a host of others offering e-commerce.

In most of the world, people prove an offline identity using official documents issued by governments. In the world's largest democracy, India, or the largest communist country, China, the key document is a national ID card. (Hundreds of millions of people in both countries do not have one.) The same approach is common in Europe, which means over half of humanity is likely to use that mechanism for identity, including online — and that's where things get trickier.

Here's the nut of this issue: governments need ways to authenticate the growing numbers of citizens going online to access digital services. Around the globe, hundreds of millions of people want digital services, increasingly provided through connected mobile devices. For instance, just think about renewing a driver's license or passport, reserving space in public parks, or accessing records. There are many approaches to providing these services.

In Estonia, whose approach to e-government has led to it being hailed as the world's most tech savvy government, provides national ID cards to its 1.3 million citizens to give them access to digital services. Many other European countries are pursuing digital national ID cards. The Indian government has gone beyond a national ID card in rolling out its "universal ID program," which, despite concerns, now operates what may well be the world's largest biometric database. Aadhaar is India's Social Security number; it's a 12 digit identity that can be verified through a fingerprint and text message. To date, 630 million people, or about 52% of India's total population, have been assigned Aadhaar, with more to follow.

In the US, however, a national ID card has long been opposed by privacy and civil liberties advocates across the ideological spectrum. Despite recent calls to adopt a national ID card for voting or immigration, the United States hasn't adopted that scheme yet, though documents from the agencies that track births, deaths, and taxes come close.

Driven by policy needs and political realities, the Obama administration put forward a National Strategy for Trusted Identities in Cyberspace (NSTIC) in 2011 that adopted a federated approach to online identity, enabling people to use a validated identity from a private entity to identify themselves to government. Governments verify and validate identity providers under trust frameworks. After years of development, NSTIC pilots for federated identity are now being tested in Michigan and Pennsylvania, along with other locales and agencies.

"In the EU [European Union] mentality, identity can only exist if the state provides it," said then Gartner analyst Ian Glazer, in a 2011 interview. "That's inherently an un-American position. [NSTIC] is frankly an adoption of the core values of the nation. There's a rugged individualism in what we're incorporating into this strategy."

The United Kingdom tried the national ID card approach under the last administration, and saw it fail after concerns about high costs and unpopularity caused it to be scrapped in 2011. The British have now adopted a federated strategy based upon NSTIC, have funded multiple pilots, and are preparing to scale it nationally later this summer.

OpenID Connect

The digital glue that could bind many of these efforts together is likely to come from OpenID Connect, a standard, secure way for developers to enable users to choose from a variety of identity providers. If you've used a social networking account like Twitter, Facebook, or Google+ to identify yourself to an application or service, you already know how it works.

OpenID Connect is designed to replace the online identity system most familiar to hundreds of millions of people: the username and password, a combination that's been showing its age in the wake of years of data breaches. Recently, the compromise of the OpenSSL system in the Heartbleed bug has led to the grim prospect of people having to remember and update passwords on dozens or hundreds of accounts.

The experience of journalists like Mat Honan has led him and many others to call for passwords to yield to something better. Frequently, banks and social networks have turned to multiple-factor authentication, where someone has to verify at least two items that require knowledge and possession. For instance, a service might require a user to sign in with a username and password and then enter in a code generated by a smartphone app or text message. India uses biometrics as a second form of identity.

After years of development, the OpenID Foundation launched the interoperable authentication protocol in February 2014. The protocol enables developers to build a simple authentication process for users of a given service by outsourcing sign-in and identity verification to technology companies and other identity providers that specialize in the security and privacy protection measures required to protect consumers — or citizens, if the service happens to be delivered by government.

"Google is betting big on OpenID Connect because it's simple for developers to understand and makes it easy to federate with identity providers," said Eric Sachs, Google's group product manager for identity, in a statement. "It also protects users by only sharing account information that users explicitly tell us to. Google offers support for OpenID Connect as an identity provider and we are excited to see how this standard will make Internet use easier for users without having to enter passwords."

In Germany, Deutsche Telekom is now the second largest email provider for Germans, as well as a major provider of telecommunications and computing services. It's also offering its users federated identity options through OpenID Connect, said Torsten Lodderstedt, product owner for identity management at Deutsche Telekom and corporate director of the OpenID Foundation, in an interview.

"We've been contributing to OAuth and OpenID Connect for four years," he went on. "We were relatively early adopters of Open 2.0. We develop all kind of telecom and cloud services. We offer customers in the German market telephony, IP TV, cloud services (comparable to Dropbox), and email. We've allowed those customers to log in to services with identity federation for a long time."

Lodderstedt does expect federated identity for government services in his country soon.

"My gut feeling tells me that the likelihood is not so high that it will work in Germany," he said. "Most e-gov services have their own solution. I don't know if they would trust industry to provide identity. Maybe for lower levels of assurance, and whether people accept the concept."

Lodderstedt does, however, expect to see OpenID Connect become the default way that enterprises and startups authenticate users.

"OpenID 2.0 is inappropriate for mobile. [The] world is full of mobile apps, and we must support them," he said. "From a technology perspective, I would assume OpenID Connect will replace OpenID 2.0 and SAML, along with a lot of OAuth-based protocols. Log in using federated identity is something we should try to see succeed. There are a lot of websites out there with poorly managed ID management. Most developers are not experts. We are. They can avoid processes around security, account registration, and password recovery. This is something we should try, and then see whether [it is] adopted in the market, and whether people accept the concept."

There are many powerful companies around the world trying it. According to OpenID, there are live production environments of Connect at Google, Gakunin, Microsoft, Ping Identity, Nikkei Newspaper, Tokyu Corporation, mixi, Yahoo! Japan, and Softbank, with mature deployments at Deutsche Telekom, AOL, and Salesforce.

This is what's used to authorize mobile apps to get resources at Google, said Jones. "Nobody knows that they're doing OpenID Connect," he explained. "It's just an interaction that works. If you're literate and aware, you'll recognize the pattern, but most don't."

Today, many public or private websites or web services require users to create a username and password. In the future, OpenID Connect could enable many more users to sign up through a professional identity provider.

"The whole philosophy, all the way," said Jones, "has been to make simple things simple and make complicated things possible when necessary."


Alex Howard writes about how shifts in technology are changing government and society. A former fellow at Harvard and Columbia, he is the founder of "E Pluribus Unum," a blog focused on open government and technology.

Editor's Picks

Free Newsletters, In your Inbox