Professional Documents
Culture Documents
Table of Contents
2. Introduction page 3
7. Challenges page 5
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 2 of 13
Identity and Authentication in eCommerce:
What about OpenID?
1. Executive Summary
Identity and authentication are two critical pieces to any eCommerce ecosystem.
The prevailing method of requiring participants to use login ID’s and passwords is past
it’s prime. This paper looks at how OpenID stands up to the challenge of improving
identification and authentication for participants and for eCommerce providers. We
conclude that OpenID provides compelling reasons to be considered as an alternative
technology and methodology.
2. Introduction
3. Definition: Identity
Identity and authentication are not synonymous. These are separate pieces of
information and separate processes that work together, and that in fact form an essential
duality of first stating and then proving who you are[1].
Identity is the information you provide in answer to the question “Who are you?”.
Identification is the process of stating your identity. This is usually the very first step
required when establishing a connection to another participant. It is important to
understand that this process of identifying yourself is done – or at least should be done -
with public, non-confidential identity information. As an example you could supply your
name, email address, alias, or login ID (short for “identity”) as a public, non-confidential
credential to establish who you are. None of these credentials are private, although it is
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 3 of 13
Identity and Authentication in eCommerce:
What about OpenID?
true that some identities, such as login ID’s, are less public than others. However,
disclosure of any one piece of non-confidential identity information does not put you
over any kind of risk threshold, and does not undermine the integrity of any eCommerce
transaction you may be partner to.
4. Definition: Authentication
Authentication is the process of correctly answering the question “How are you
going to prove who you are?”. It is a challenge posed to you after you present your
identity, and it is expected that you can answer this challenge correctly based on some
sort of criteria. This criteria is presumably known only by you, although often it is also
known by the other participant who posed the challenge. Your private credentials are
usually confidential things like passwords and PIN’s (“personal identification numbers”).
These are separate and distinct from the identity information they are associated with.
Disclosure of confidential authentication information does have the potential to put you at
risk, and in fact the term “identity theft” usually refers to the theft of authentication
credentials, not simply theft of identity credentials.
5. Identity Theft
Identity theft and identify fraud, of course, are the scourge of eCommerce. You
simply cannot operate an eCommerce system for virtual participants when you don’t have
the ability to make each participant identifiable, and therefore accountable and
responsible for their actions. Try to imagine an online course being taught at any
educational institution, where the identity of each student and each teacher cannot be
confirmed for every single submission, posting, and grade that gets handed out. Or
consider how successful eBay could be if it had no way of knowing who is bidding and
who is selling. It would never work. And so it is that the goal of identification and
authentication is to help build confidence and trust and integrity into all parts of an
eCommerce system. This goes a long way to ensuring that participants want to stay, and
new participants are enticed to join.
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 4 of 13
Identity and Authentication in eCommerce:
What about OpenID?
However, there are plenty of sobering failures to protect identities, and failures to
successfully authenticate identities. According to the Identity Theft Resource Center[2] in
the United States for the year 2007[3], businesses who reported being victimized suffered
an average loss of over $48,000 USD[4] and individuals suffered an average out-of-pocket
loss of over $1,800 USD[5]. Javelin Strategy & Research reported[6] that in 2007 there
were 8.1 million Americans who were victimized by identity fraud, totalling $45 billion
in damages[7]. The Federal Trade Commission in the US reported[8] that there were 8.3
million Americans who were victims of identity theft in 2005[9], incurring an average out-
of-pocket loss of $371 USD[10].
6. Working Together
7. Challenges
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 5 of 13
Identity and Authentication in eCommerce:
What about OpenID?
The primary method used in most eCommerce settings is the login and password
combination. Often the login is the participant’s email address, in order to cost-
effectively send and receive an immediate confirmation of intention to join the
eCommerce site. Email has, in fact, become a very important part of eCommerce
communications because of its ubiquity and relative ease of use. Is there anyone using an
eCommerce system who does not have an email address? Not likely. The scenario
typically plays out something like this: (1) user finds eCommerce site on the Internet,
likes its purpose and possible value, is not turned off by its look, and so decides to search
out the site’s “registration” page; (2) user enters email address and name and possibly a
password of their choosing; (3) eCommerce site sends email to user asking for
confirmation that they are indeed intending to join; (4) user receives email and clicks on
specially formatted link in the body of the email taking them back to the eCommerce site,
and in so doing passing information to the target web site that allows it to confirm the
user’s identity. If the user specified a password when registering, then the stage is set for
all future identification and authentication between this user and this web site: the email
address is the identity, and the password is the confidential piece of data used for
authentication. The user and the eCommerce site each know the password, but no one
else does. The user and the eCommerce site each know the email address, and because it
is a public identity, so does anyone else.
This example scenario is relatively smooth, easy and quick, from both the user’s
perspective, and from the eCommerce web site’s perspective. It is not necessarily secure,
however, and the privacy of the user’s password in this case can be compromised by
either participant. Perhaps the most difficult problem is for the user to remember the
correct password for the particular eCommerce site, and to keep the password private.
With a few passwords to remember, most of us can keep them in our heads much as we
do our home phone numbers, birth dates, cell phone and bank account PIN numbers, etc.
But the reality is such that this is no longer feasible – there are far too many logins and
passwords to remember. It is unrealistic to expect everyone to not write down their
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 6 of 13
Identity and Authentication in eCommerce:
What about OpenID?
passwords somewhere, thus breaking the very first of the ten password commandments
laid out by Dennis O’Reilly of cnet.com[11]. RSA Security Inc. produced a survey in 2005
that found 58% of US enterprise technology end users have to keep track of more than 6
passwords, and 90% of them are frustrated with the challenges of keeping track of their
passwords[12].
There are also numerous reported and anecdotal stories of help desks spending a
disproportionate amount of time helping users recover and reset passwords.[16][17][18] The
bottom line is that the time has come for the login and password duo to undergo an
extreme makeover.
9. Definition: OpenID
One increasingly popular technology that has become available in the last few
years to address many of the challenges of identity and authentication is OpenID. It is an
open source software framework for providing digital identity services. eCommerce
providers who choose to add support for OpenID services, are able to offer their
participants a much improved method of identification and authentication. OpenID is
open source, and therefore available at no cost, and extensible by anyone who wishes to
add to it. It is a software framework in the same sense as .NET is a framework provided
by Microsoft specific to the Windows® platform. A framework provides the basic
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 7 of 13
Identity and Authentication in eCommerce:
What about OpenID?
software services, code and specifications that can be used as building blocks,
independent of language and platform. The OpenID framework is not specific to
Windows® as .NET is, but rather is available for any platform that supports standard
Internet protocols. It also supports a wide range of languages such as C#, J#, .NET, PHP,
Java, Perl, Python, Ruby and more[19].
What is better about OpenID? First of all, there is no need for participants to keep
track of logins for each eCommerce web site. A single OpenID identity can be used
across any number of web sites that support OpenID[20]. This is also known as “Single
Sign-On” or SSO, which means that users can login once, and then roam to any OpenID-
enabled eCommerce web site.
(2) There is no need to keep track of separate passwords for each eCommerce web
site. An OpenID identity has just one authentication mechanism, which can be as simple
or as sophisticated as necessary. Authentication by password is one option, but there are
no limits to how authentication can be done. One OpenID identity provider,
myopenid.com, currently offers authentication by password, by both password and phone
number[21], by Information Card[22], or by client SSL certificate[23].
(3) Authentication mechanisms are selected by the user. This means that if a user
wants to be authenticated by password, then they can easily set this up. If the choice is to
be authenticated by phone number, then every time a “login” by OpenID identity is
attempted, an immediate telephone call is made to allow you to confirm that login. If the
choice is Information Card or client SSL certificate, then passwords and phone numbers
are not needed. The user thus has more control over each use of their identity.
(4) OpenID is decentralized over the public Internet. This means that no one
directory or server or communication link functions as a choke-point, or a weak link,
which could potentially take down the entire OpenID service. Neither would the failure
of a single company, or the change in the business model of a single company have any
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 8 of 13
Identity and Authentication in eCommerce:
What about OpenID?
significant effect on OpenID. Users can choose from a growing number of existing
OpenID identity providers, such as MyOpenID, Google[24], VeriSign, Yahoo! and
others[25]. In addition, users can add a relatively minor bit of code to their own blog, wiki,
or web site in order to enable it to function as an OpenID identity provider.
(5) eCommerce sites have no need to know or store any authentication details
about its OpenID authenticated users. This means that that eCommerce sites can never
lose or accidentally disclose these confidential pieces of information about its users. They
are therefore less of a target for hackers looking to steal identities.
(6) OpenID identity providers have responsibility for resetting and recovering
passwords, so that eCommerce providers no longer have to deal with this time consuming
and costly task.
(8) OpenID supports sharing of selected identity profile data, so that users can
specify things like “preferred language” and “name” in their profile, and then have this
automatically passed to the eCommerce web site when they authenticate. The
eCommerce provider thus learns more about each new participant, and again gets to
offload design, development, support, security and integrity of some user profile data it
would otherwise have to take care of itself. It is even conceivable that all personally
identifiable data could be kept on the OpenID identity provider’s web site, further
protecting the eCommerce provider from potential breaches of security and privacy.
(9) Adding support for OpenID can be done incrementally, on top of any existing
identity and authentication infrastructure used by the eCommerce provider. There is no
requirement to rip out and replace what is already being used.
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 9 of 13
Identity and Authentication in eCommerce:
What about OpenID?
10. Conclusions
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 10 of 13
Identity and Authentication in eCommerce:
What about OpenID?
11. References
[1] Microsoft. (2009). “It’s Me, and Here’s My Proof: Why Identity and Authentication
Must Remain Distinct”. http://technet.microsoft.com/en-us/library/cc512578.aspx#
(Accessed March 15, 2009)
[3] Survey conducted by the Identity Theft Resource Center. (2008). “Identity Theft: The
Aftermath 2007”.
http://www.idtheftcenter.org/artman2/uploads/1/Aftermath_2007_20080529v2_1.pdf
(Accessed March 16, 2009)
[4] Ibid., at 3
[5] Ibid., at 17
[6] Survey conducted by Javelin Strategy & Research. (2008). “2008 Identity Fraud
Survey Report Consumer Version”.
http://www.idsafety.net/803.R_2008%20Identity%20Fraud%20Survey%20Report_Cons
umer%20Version.pdf (Accessed March 16, 2009)
[7] Ibid., at 5
[8] Survey conducted by Synovate for the Federal Trade Commission. (2007). “2006
Identity Theft Survey Report”.
http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf (Accessed March
16, 2009)
[9] Ibid., at 3
[10] Ibid., at 9
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 11 of 13
Identity and Authentication in eCommerce:
What about OpenID?
[11] Worker’s Edge. (2008). “Keep your data safe by following the Password
Commandments”. http://news.cnet.com/8301-13880_3-9878333-68.html (Accessed
March 16, 2009)
[12] Survey conducted by RSA Security Inc. (2005). “RSA Security Survey Reveals
Multiple Passwords Creating Security Risks and End User Frustration”.
http://www.rsa.com/press_release.aspx?id=6095 (Accessed March 16, 2009)
[13] Schneier, Bruce. (2009). “The secret question is: why do IT systems use insecure
passwords?”. http://www.guardian.co.uk/technology/2009/feb/19/insecure-passwords-
conflickerb-worm (Accessed March 17, 2009)
[14] Ibid.
[16] PistolStar Inc. Case Study. (2007). “Manufacturing: Lotus Notes ID Password
Management”. http://www.pistolstar.com/customers/CaseStudies/Food-Manufacturer.pdf
(Accessed March 17, 2009)
[18] Survey conducted by eMedia for Siber Systems Inc. (2007). “Password Management
Survey”. http://www.roboform.com/enterprise/download/survey.html (Accessed March
17, 2009)
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 12 of 13
Identity and Authentication in eCommerce:
What about OpenID?
[21] Ellin, Brian. (2008). “Phone-Based Two-Factor Authentication Now Available for
OpenID”. http://blog.janrain.com/2008/05/phone-based-two-factor-authentication.html
(Accessed March 17, 2009)
[23] Graves, Michael. (2007). “And Then There Were None – Zero Passwords with
Client Certificates”. http://blog.janrain.com/2007/04/and-then-there-were-none-zero-
passwords.html (Accessed March 17, 2009)
[24] Google, Inc. (2009). “Federated Login for Google Account Users”.
http://code.google.com/apis/accounts/docs/OpenID.html (Accessed March 17, 2009)
----------------------------------------------------------------------------------------------------------
by Arthur (Wesley) Kenzie (A00242330) page 13 of 13