Identity and Authentication in eCommerce:

What about OpenID?

Course: BUSA 3455

Instructor: John Foster

Written By: Arthur (Wesley) Kenzie

BCIT Student ID: A00242330

Date: March 2009

 Identity and Authentication in eCommerce:
What about OpenID?

Table of Contents

1. Executive Summary page 3

2. Introduction page 3

3. Definition: Identity page 3

4. Definition: Authentication page 4

5. Identity Theft page 4

6. Working Together page 5

7. Challenges page 5

8. Logins and Passwords page 6

9. Definition: OpenID page 7

10. Advantages of OpenID page 8

11. Conclusions page 10

12. References page 11

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 2 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

1. Executive Summary

Identity and authentication are two critical pieces to any eCommerce ecosystem.
The prevailing method of requiring participants to use login ID’s and passwords is past
it’s prime. This paper looks at how OpenID stands up to the challenge of improving
identification and authentication for participants and for eCommerce providers. We
conclude that OpenID provides compelling reasons to be considered as an alternative
technology and methodology.

2. Introduction

In any eCommerce ecosystem, the identity and authentication of each participant

in the buying, selling and intermediating functions is of vital importance. This importance
is not unique to eCommerce, but its relative importance in a primarily virtual world is
magnified by the fact that most eCommerce functions and interactions do not require any
physical presence. This presents a number of challenges for eCommerce providers. It is
not as simple as it once was in earlier times when the corner stores could recognize their
customers on a first name basis when they came in for their supplies.

3. Definition: Identity

Identity and authentication are not synonymous. These are separate pieces of
information and separate processes that work together, and that in fact form an essential
duality of first stating and then proving who you are[1].

Identity is the information you provide in answer to the question “Who are you?”.
Identification is the process of stating your identity. This is usually the very first step
required when establishing a connection to another participant. It is important to
understand that this process of identifying yourself is done – or at least should be done -
with public, non-confidential identity information. As an example you could supply your
name, email address, alias, or login ID (short for “identity”) as a public, non-confidential
credential to establish who you are. None of these credentials are private, although it is

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 3 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

true that some identities, such as login ID’s, are less public than others. However,
disclosure of any one piece of non-confidential identity information does not put you
over any kind of risk threshold, and does not undermine the integrity of any eCommerce
transaction you may be partner to.

4. Definition: Authentication

Authentication is the process of correctly answering the question “How are you
going to prove who you are?”. It is a challenge posed to you after you present your
identity, and it is expected that you can answer this challenge correctly based on some
sort of criteria. This criteria is presumably known only by you, although often it is also
known by the other participant who posed the challenge. Your private credentials are
usually confidential things like passwords and PIN’s (“personal identification numbers”).
These are separate and distinct from the identity information they are associated with.
Disclosure of confidential authentication information does have the potential to put you at
risk, and in fact the term “identity theft” usually refers to the theft of authentication
credentials, not simply theft of identity credentials.

5. Identity Theft

Identity theft and identify fraud, of course, are the scourge of eCommerce. You
simply cannot operate an eCommerce system for virtual participants when you don’t have
the ability to make each participant identifiable, and therefore accountable and
responsible for their actions. Try to imagine an online course being taught at any
educational institution, where the identity of each student and each teacher cannot be
confirmed for every single submission, posting, and grade that gets handed out. Or
consider how successful eBay could be if it had no way of knowing who is bidding and
who is selling. It would never work. And so it is that the goal of identification and
authentication is to help build confidence and trust and integrity into all parts of an
eCommerce system. This goes a long way to ensuring that participants want to stay, and
new participants are enticed to join.

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 4 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

However, there are plenty of sobering failures to protect identities, and failures to
successfully authenticate identities. According to the Identity Theft Resource Center[2] in
the United States for the year 2007[3], businesses who reported being victimized suffered
an average loss of over $48,000 USD[4] and individuals suffered an average out-of-pocket
loss of over $1,800 USD[5]. Javelin Strategy & Research reported[6] that in 2007 there
were 8.1 million Americans who were victimized by identity fraud, totalling $45 billion
in damages[7]. The Federal Trade Commission in the US reported[8] that there were 8.3
million Americans who were victims of identity theft in 2005[9], incurring an average out-
of-pocket loss of $371 USD[10].

6. Working Together

In order to have any chance of success, identification and authentication have to

work together. Neither one is sufficient on its own. The problem with having only a non-
confidential identity is that it is trivial to pretend to be someone else. You could,
theoretically, login to amazon.com as larry@oracle.com or barack@whitehouse.gov or
jimmy@jimpattison.com and try to stock up for next Christmas without anyone being the
wiser. Nice. On the other hand, with the need for only a private credential you could
surely guess that someone somewhere has picked a secret password “password” or maybe
“pa55w0rd” or even “123456” and voilà, another successful scam could be waiting at
your fingertips.

7. Challenges

The challenges facing eCommerce providers with regards to identity and

authentication are: (1) to do it smoothly, easily and quickly from each participant’s
perspective; and (2) to do it securely in order to respect each participant’s current and
future privacy needs. Answering these challenges will enable an eCommerce site to
attract more customers, which means they will have won a significant part of the battle in
the quest for success. Failure translates into lost customers, which ultimately will cause
failure of the eCommerce provider’s business model.

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 5 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

8. Logins and Passwords

The primary method used in most eCommerce settings is the login and password
combination. Often the login is the participant’s email address, in order to cost-
effectively send and receive an immediate confirmation of intention to join the
eCommerce site. Email has, in fact, become a very important part of eCommerce
communications because of its ubiquity and relative ease of use. Is there anyone using an
eCommerce system who does not have an email address? Not likely. The scenario
typically plays out something like this: (1) user finds eCommerce site on the Internet,
likes its purpose and possible value, is not turned off by its look, and so decides to search
out the site’s “registration” page; (2) user enters email address and name and possibly a
password of their choosing; (3) eCommerce site sends email to user asking for
confirmation that they are indeed intending to join; (4) user receives email and clicks on
specially formatted link in the body of the email taking them back to the eCommerce site,
and in so doing passing information to the target web site that allows it to confirm the
user’s identity. If the user specified a password when registering, then the stage is set for
all future identification and authentication between this user and this web site: the email
address is the identity, and the password is the confidential piece of data used for
authentication. The user and the eCommerce site each know the password, but no one
else does. The user and the eCommerce site each know the email address, and because it
is a public identity, so does anyone else.

This example scenario is relatively smooth, easy and quick, from both the user’s
perspective, and from the eCommerce web site’s perspective. It is not necessarily secure,
however, and the privacy of the user’s password in this case can be compromised by
either participant. Perhaps the most difficult problem is for the user to remember the
correct password for the particular eCommerce site, and to keep the password private.
With a few passwords to remember, most of us can keep them in our heads much as we
do our home phone numbers, birth dates, cell phone and bank account PIN numbers, etc.
But the reality is such that this is no longer feasible – there are far too many logins and
passwords to remember. It is unrealistic to expect everyone to not write down their

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 6 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

passwords somewhere, thus breaking the very first of the ten password commandments
laid out by Dennis O’Reilly of cnet.com[11]. RSA Security Inc. produced a survey in 2005
that found 58% of US enterprise technology end users have to keep track of more than 6
passwords, and 90% of them are frustrated with the challenges of keeping track of their
passwords[12].

The proliferation of passwords has resulted in many passwords being vulnerable

to guessing, as a direct consequence of users needing to ease the burden of remembering
each and every one of them. Preying on this inherent weakness of many passwords, the
Conflicker.B worm (also known as the “Downadup” or “Kido” virus) has been very
recently “spreading like wildfire across the Internet, infecting the French Navy, hospitals
in Sheffield [England], the court system in Houston, Texas, and millions of computers
worldwide.”[13] This virus also shut down most of the Vancouver School Board
computers for several weeks earlier this year[15]. Consider that this virus was able to
spread so easily by using a list of only 200 common passwords[14].

There are also numerous reported and anecdotal stories of help desks spending a
disproportionate amount of time helping users recover and reset passwords.[16][17][18] The
bottom line is that the time has come for the login and password duo to undergo an
extreme makeover.

9. Definition: OpenID

One increasingly popular technology that has become available in the last few
years to address many of the challenges of identity and authentication is OpenID. It is an
open source software framework for providing digital identity services. eCommerce
providers who choose to add support for OpenID services, are able to offer their
participants a much improved method of identification and authentication. OpenID is
open source, and therefore available at no cost, and extensible by anyone who wishes to
add to it. It is a software framework in the same sense as .NET is a framework provided
by Microsoft specific to the Windows® platform. A framework provides the basic

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 7 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

software services, code and specifications that can be used as building blocks,
independent of language and platform. The OpenID framework is not specific to
Windows® as .NET is, but rather is available for any platform that supports standard
Internet protocols. It also supports a wide range of languages such as C#, J#, .NET, PHP,
Java, Perl, Python, Ruby and more[19].

10. Advantages of OpenID

What is better about OpenID? First of all, there is no need for participants to keep
track of logins for each eCommerce web site. A single OpenID identity can be used
across any number of web sites that support OpenID[20]. This is also known as “Single
Sign-On” or SSO, which means that users can login once, and then roam to any OpenID-
enabled eCommerce web site.

(2) There is no need to keep track of separate passwords for each eCommerce web
site. An OpenID identity has just one authentication mechanism, which can be as simple
or as sophisticated as necessary. Authentication by password is one option, but there are
no limits to how authentication can be done. One OpenID identity provider,
myopenid.com, currently offers authentication by password, by both password and phone
number[21], by Information Card[22], or by client SSL certificate[23].

(3) Authentication mechanisms are selected by the user. This means that if a user
wants to be authenticated by password, then they can easily set this up. If the choice is to
be authenticated by phone number, then every time a “login” by OpenID identity is
attempted, an immediate telephone call is made to allow you to confirm that login. If the
choice is Information Card or client SSL certificate, then passwords and phone numbers
are not needed. The user thus has more control over each use of their identity.

(4) OpenID is decentralized over the public Internet. This means that no one
directory or server or communication link functions as a choke-point, or a weak link,
which could potentially take down the entire OpenID service. Neither would the failure
of a single company, or the change in the business model of a single company have any

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 8 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

significant effect on OpenID. Users can choose from a growing number of existing
OpenID identity providers, such as MyOpenID, Google[24], VeriSign, Yahoo! and
others[25]. In addition, users can add a relatively minor bit of code to their own blog, wiki,
or web site in order to enable it to function as an OpenID identity provider.

(5) eCommerce sites have no need to know or store any authentication details
about its OpenID authenticated users. This means that that eCommerce sites can never
lose or accidentally disclose these confidential pieces of information about its users. They
are therefore less of a target for hackers looking to steal identities.

(6) OpenID identity providers have responsibility for resetting and recovering
passwords, so that eCommerce providers no longer have to deal with this time consuming
and costly task.

(7) eCommerce sites have no need to develop or support additional authentication

methods that might be required in the future. Development, quality assurance and support
of things like biometric readers, hardware tokens, and smart cards can be offloaded to the
OpenID identity provider ecosystem.

(8) OpenID supports sharing of selected identity profile data, so that users can
specify things like “preferred language” and “name” in their profile, and then have this
automatically passed to the eCommerce web site when they authenticate. The
eCommerce provider thus learns more about each new participant, and again gets to
offload design, development, support, security and integrity of some user profile data it
would otherwise have to take care of itself. It is even conceivable that all personally
identifiable data could be kept on the OpenID identity provider’s web site, further
protecting the eCommerce provider from potential breaches of security and privacy.

(9) Adding support for OpenID can be done incrementally, on top of any existing
identity and authentication infrastructure used by the eCommerce provider. There is no
requirement to rip out and replace what is already being used.

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 9 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

10. Conclusions

eCommerce providers need to seriously look at improving their identity and

authentication processes and technology to simplify registration and login procedures for
its participants. There are an increasing number and severity of problems associated with
“password proliferation syndrome” where users are required to remember more and more
passwords. OpenID is a leading candidate - likely the leading candidate - to greatly
improve the user experience and to remove costs and complexity out of eCommerce web
site design, development, quality control, operation and support. OpenID frees up
eCommerce participants from having to remember separate identities and authentications.
It also frees up the eCommerce web site from having to track and safeguard
authentication data, and it makes available additional authentication options at no cost to
the eCommerce provider. The advantages of implementing OpenID are numerous and
substantial.

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 10 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

11. References

[1] Microsoft. (2009). “It’s Me, and Here’s My Proof: Why Identity and Authentication
Must Remain Distinct”. http://technet.microsoft.com/en-us/library/cc512578.aspx#
(Accessed March 15, 2009)

[2] Internet web site. (2009). “Identity Theft Resource Center”.

http://www.idtheftcenter.org (Accessed March 16, 2009)

[3] Survey conducted by the Identity Theft Resource Center. (2008). “Identity Theft: The
Aftermath 2007”.
http://www.idtheftcenter.org/artman2/uploads/1/Aftermath_2007_20080529v2_1.pdf
(Accessed March 16, 2009)

[4] Ibid., at 3

[5] Ibid., at 17

[6] Survey conducted by Javelin Strategy & Research. (2008). “2008 Identity Fraud
Survey Report Consumer Version”.
http://www.idsafety.net/803.R_2008%20Identity%20Fraud%20Survey%20Report_Cons
umer%20Version.pdf (Accessed March 16, 2009)

[7] Ibid., at 5

[8] Survey conducted by Synovate for the Federal Trade Commission. (2007). “2006
Identity Theft Survey Report”.
http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf (Accessed March
16, 2009)

[9] Ibid., at 3

[10] Ibid., at 9

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 11 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

[11] Worker’s Edge. (2008). “Keep your data safe by following the Password
Commandments”. http://news.cnet.com/8301-13880_3-9878333-68.html (Accessed
March 16, 2009)

[12] Survey conducted by RSA Security Inc. (2005). “RSA Security Survey Reveals
Multiple Passwords Creating Security Risks and End User Frustration”.
http://www.rsa.com/press_release.aspx?id=6095 (Accessed March 16, 2009)

[13] Schneier, Bruce. (2009). “The secret question is: why do IT systems use insecure
passwords?”. http://www.guardian.co.uk/technology/2009/feb/19/insecure-passwords-
conflickerb-worm (Accessed March 17, 2009)

[14] Ibid.

[15] Zisman, Alan. (2009). “Lessons from another malware meltdown”.

http://www.zisman.ca/Articles/2009/BIV1005.html (Accessed March 17, 2009)

[16] PistolStar Inc. Case Study. (2007). “Manufacturing: Lotus Notes ID Password
Management”. http://www.pistolstar.com/customers/CaseStudies/Food-Manufacturer.pdf
(Accessed March 17, 2009)

[17] Eller, Riley “Caezar”. (2002). “Aggressive Security Revisited”, p. 11.

http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-caezar.pdf (Accessed
March 17, 2009)

[18] Survey conducted by eMedia for Siber Systems Inc. (2007). “Password Management
Survey”. http://www.roboform.com/enterprise/download/survey.html (Accessed March
17, 2009)

[19] Tomlinson, Scott. (2009). “OpenID Wiki: Libraries”. http://wiki.openid.net/Libraries

(Accessed March 17, 2009)

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 12 of 13
 Identity and Authentication in eCommerce:
What about OpenID?

[20] OpenID Foundation. (2009). “What is OpenID?”. http://openid.net/what/ (Accessed

March 13, 2009)

[21] Ellin, Brian. (2008). “Phone-Based Two-Factor Authentication Now Available for
OpenID”. http://blog.janrain.com/2008/05/phone-based-two-factor-authentication.html
(Accessed March 17, 2009)

[22] Fox, Kevin. (2007). “MyOpenID Adds Information Card Support”.

http://blog.janrain.com/2007/10/myopenid-adds-information-card-support.html
(Accessed March 17, 2009)

[23] Graves, Michael. (2007). “And Then There Were None – Zero Passwords with
Client Certificates”. http://blog.janrain.com/2007/04/and-then-there-were-none-zero-
passwords.html (Accessed March 17, 2009)

[24] Google, Inc. (2009). “Federated Login for Google Account Users”.
http://code.google.com/apis/accounts/docs/OpenID.html (Accessed March 17, 2009)

[25] Wikipedia. (2009). “List of OpenID providers”.

http://en.wikipedia.org/wiki/List_of_OpenID_providers (Accessed March 17, 2009)

----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 13 of 13