The "Sign-in with Facebook" problem and the open source solution

null

Managing accounts, credentials and personal information on the Internet has become a nightmare. Almost every website today encourages users to register, or even requires them to do so to be able to access content. They usually want some combination of your email, a password, your name and date of birth. This information is always the same, yet you spend your time typing it again and again, then double checking it for mistakes and correcting typos before pressing Enter and being granted access.

And you often reuse the same password that you already used for countless other websites, because there are only so many passwords that you can remember – until you find a website with an annoying password policy that your ordinary password does not meet, and then you have to add a punctuation symbol, a Greek letter and a B flat note played on a horn.

Some people try to solve this by using password managers, such as the ones included in modern browsers – and then they have to remember and secure the password to their password manager, and there is no way to recover their accounts if they lose it; and if they end up using someone else’s device, or a PC in an Internet café, they cannot log in anywhere, as they do not know any of their passwords any more. So they will save their credentials on their mobile phone, which then gets stolen, putting all their online affairs at risk.

Today in the U.S. alone the average email address is associated with 130 accounts according to Digital Guardian’s recent research. Dashlane estimates the average number of accounts per user will be 207 in 2020.

So how can the 4.1 billion global Internet users maintain a secure and convenient login process when managing between 100 and 200 accounts?

A convenient option has been gaining ground: Internet-wide single sign-on services run by the big OTTs. There is such a need for a simple solution that almost all websites quickly started to let you “login with Google” or “login with Facebook”. Or with Twitter. Or with all of them: just pick one of a list of ten providers and use their credentials.

This is a step forward, since you only need to remember the passwords to your social network accounts, and use them everywhere else. However, it poses a huge risk to your privacy: do you really want an monopolistic conglomerate whose business is based on monetising user information to know all the places where you log into, track you as you move among these services, and exchange information on you with them?

This is why an effort has started to create an identity management platform that works just like those of the OTTs, but empowers the user rather than the provider, protects the user’s privacy and digital freedoms, and is based on an open, public standard that allows any number of parties to supply identities to users, making all these identities interoperable.

Enter ID4me 

There is obviously a strong need for a universal digital identity providing login and data access. The process should be fast without any complex passwords to be remembered. There is a bright future for open Single-Sign-On technologies that respect users’ privacy. That means the user decides whom to provide access to his data and is able to take away this consent at anytime.

The effort was started by three companies in Germany – Open-Xchange, 1&1 and Denic – but has quickly gained international support, especially in the domain name industry. It is based on an existing standard, OpenID Connect, that Google and Facebook are using as well, but it uses the Domain Name System (DNS) – the distributed public database that allows you to type an address in your browser and actually get to a server somewhere else on the globe – to add the interoperability features that are necessary to allow many more identity providers.

The name of the effort is ID4me, and its hub is the website at https://id4me.org/ ; everything is published there, and also submitted to the IETF and the OpenID Foundation for possible standardisation.

ID4me allows you to use your own email address as an identifier, or a hostname in an existing domain name. If you own a personal domain name, you actually own your identifier and your identity, and you can move them freely to a different provider; no one can lock you in and force you to let them monetise your data in exchange for the service. If you lose trust in your identity provider, just move your identity and your accounts somewhere else.

Except for ID4me, no other public, open, federated, privacy-friendly, user-centred Identity Management Standard exists. ID4me is an open group of Internet service providers, software developers and other entities that care about the future of the Internet and want to defend its distributed and federated architecture for what relates to digital identities.

The initiative’s mission is to provide end users with open and internationally available identity services, adhering to security and data protection standards, which foster user choice and avoid identity lock-ins.

To do so, ID4me strives to set up an open federation of identity providers which are committing to an open, transparent and binding policy framework around the ID4me standard. Leveraging on this framework ID4me will be able to enforce and to be held accountable to its mission.

In ID4me, any number of identity providers can exist; you could even run yours off your own server. Websites only need to implement the client part of the standard once, and any identity from any source immediately works.

Users are also in control of their information. Every time a user wants to log into a website for the first time, there is no need to register; instead, users will identify themselves and decide what to share with the website, authorising only specific pieces of information as desired. Users could even have more than one identity for different purposes – a business and a personal one, for example.

We think that this is not just useful, but crucial for the future of the Internet. If no open standard exists for this, our identities will be trapped forever into a few walled gardens owned by a few companies, losing freedom and privacy.

Vittorio Bertola, Head of Policy & Innovation, Open-Xchange
Image credit: Frank_Peters / Shutterstock