OpenID: Forget all of Those Passwords

Sometimes it can be annoying to have to remember several different passwords to the numerous websites that you visit frequently. Due to this reason, that is why OpenID exists.

Sometimes it can be annoying to have to remember several different passwords to the numerous websites that you visit frequently. Due to this reason, that is why OpenID exists

What is OpenID?

OpenID gives users the ability to access multiple websites with only one password. Users have the option to calibrate information with their OpenID that they will allow communicating with certain websites. Thus, eliminating the need to use a different password each time you log in to a different website.

This doesn’t mean that those websites you frequent are no longer password protected. OpenID simply allows the website to confirm your identity to the website that is being accessed. It’s sort of like the fingerprint scanner on your iPhone that allows you to unlock it without using your passcode.

In order to log in with an OpenID, the user must obtain an OpenID identity. Identities are granted through OpenID providers, which are in abundance. Once you receive an OpenID identity, it will be in a URL format, which looks like this username.example.com, or like this: example.com/username.

How do you use it?

Once the user has created an OpenID identity with their provider of choice, they will be prompted to sign into the provider’s web page with their OpenID. At which point, the user has the freedom to grant their most frequently visited websites access to their OpenID in order to confirm their sign on identity. Thus, removing the need to input their password each time they log into their favorite websites.

Where did OpenID come from?

OpenID came about around the middle of 2005. It was developed by an open source community whose sole goal was to correct a problem that was unable to be easily rectified by the pre-existing forms of identity technologies. Since it was created within an open source, OpenID is not owned by any particular person, organization, or company.

Practically anyone has the ability to either be a user of an OpenID or become an OpenID provider. The best part about this is that it’s absolutely free to do so, and the user will not be subjected to pending approval by any organization or company.

OpenID may not be for everyone, but it is an option that is available to heavily active internet users who access multiple websites each day. There is also a representative for OpenID known as the OpenID Foundation. This foundation offers a legal presence for the open source model while also providing the community with infrastructure and promotional aids to further expand the adoption of OpenID.

The Problem(s) with OpenID

On occasion, my colleagues and I are asked whether Credentica is working to ensure that our innovative technology for user-centric identity management will work with OpenID. My short answer – “No” – is sometimes followed by the question “Why not?” Let me explain.

OpenID was designed as a lightweight solution for “trivial” use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser. Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords. (Of course, local password store utilities already do that; more on this later.)

Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.

SECURITY PROBLEMS

Let’s start with the security problems of OpenID.

As Ben Laurie in a piece called “OpenId: Phishing Heaven” notes: “The OpenID people [have] defined a standard that has to be the worst I’ve ever seen from a phishing point of view. […] I just persuade you to go anywhere at all, say my lovely site of kitten photos, and get you to log in using your OpenID. Following the protocol, I find out where your provider is (i.e. the site you log in to to prove you really own that OpenID), but instead of sending you there (because, yes, OpenID works by having the site you’re logging in to send you to your provider) I send you to my fake provider, which then just proxies the real provider, stealing your login as it does. I don’t have to persuade you that I’m anything special, just someone who wants you to use OpenID, as the designers hope will become commonplace, and I don’t have to know your provider in advance. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens.

Kim Cameron explains the phishing attack in greater detail and notes: “The problem here is that redirection to the home site is under the control of the evil party, and the user gives that party enough information to sink her. Further, the whole process can be fully automated.” Elsewhere, Kim points outthink of what we unleash with OpenID… It’s way easier for the evil site to scoop the skin of a user’s OpenID service because – are you ready? – the user helps out by entering her honeypot’s URL! By playing back her OpenID skin the evil site can trick the user into revealing her creds. But these are magic creds, the keys to her whole kingdom!

Marco Slot in his “Beginner’s guide to OpenID phishing” demonstrates the phishing problem by providing code samples. Quoting: “There’s a new phish in town and it is big and easy to catch. A single OpenID may be used for hundres of websites. This alone makes OpenID more vulnerable as losing one password means you’ve lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password. […] Would your grandma notice http://f5888d0b1.07e1c41c97a.be/a15 is not her real openid provider?” Marc also explains why naïve attempts to solve this (such as using cookies, identifying users by their IP address, bookmark login, and displaying personal icons) do not work.

Eugene and Vladimir Tsyrklevich in a recent Black Hat presentation furthermore point out that “the phishing attack can also be carried out by the host that the site consults to retrieve the URL of the identity provider.

On a note related to phishing, Kim Cameron says: “How do I know I am looking at his web page or talking to his identity provider? By calling them up on DNS. […] OpenID is as strong, and as weak, as DNS. In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.” Similarly, Tim Anderson remarks: “The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Then there are various browser vulnerability exploits that could have devastating consequences (not just with regard to phishing) if one were to rely on OpenID for anything beyond trivial uses with no real value at stake. Quoting Petko D. Petkov: “Cross-site scripting, also known as XSS, […] works in situations in which attackers need to circumvent the browser security settings […] to get access to unauthorized data using the browser as a proxy. […] Cross-site scripting is an injection attack in which attackers supply malicious code as part of a GET or POST request. It is sent to the attacked application and is then rendered as part of the remotely delivered HTML page. This attack is perfect for stealing session identifiers or creating massive worm outbreaks […] if [users] happen to visit a malicious website that contains an exploit of cross-site scripting vulnerability found on a page from the identity provider origin that is used by the user, attackers could inject malicious code within that scope and hijack the user’s online identity.[…] there are [other] threats such as the cross-site request forgery (CSRF), which is an attack vector that also abuses the browser’s same origin policies, but without the need to inject malicious code within the attacked website context. CSRF attacks perform blind GET or POST requests to resources that are not protected by unique tokens. Since the browser is configured to supply the necessary information, such as browser cookies and other settings to every request, attackers can perform actions on behalf of the user. In this case, if the user is logged into the identity provider and visits a malicious page that executes a CSRF attack that causes a password reset, for example, attackers can hijack the user’s identity again.

On a similar note, Tom Allen Allen Tom in “What’s broken in OpenID 2.0″ says: “[A phishing site can] spoof the realm using an open redirect server or by exploiting an XSS flaw on a trusted domain means that neither the user nor the OP knows what site that the user is signing into. This leaves users vulnerable to being phished on the RP site because OPs, including AOL and MyOpenID, use the realm and return_to parameters to assert the identity of the RP to the user before redirecting the user back to the RP. For example, it’s pretty trivial for a phishing site to get the AOL or MyOpenID OPs to tell the user that they’re signing into *.aol.com, *.microsoft.com, or *.go.com by exploiting redirect servers or XSS flaws on these trusted domains. […] Redirect servers, open reverse proxies, XSS flaws, and the like are widely known and eagerly circulated within certain communities, and without a doubt these bozos would be cranking out millions of SPIMs and SPAMS every hour if OpenID were to gain any traction in the mainstream.

It does not stop here. Alex Kuza says: “[There is a] feature to set a site to be able to accept your credentials without you having to enter your OpenID password, and since your OpenID provider does not provide these details to the host, they do. Of course, you still need to be logged into your OpenID provider, but since you’re meant to be using this login for several sites, its not too much of a stretch to believe that you’re going to be logged in all the time you’re online – which is quite a large time frame. […] This means that an attacker can log you into any site you decided to trust via CSRF attacks because the site cannot tell if you’ve entered a password. Now this might not seem important, but it is very important for both large and targeted attacks because the user no longer needs to be logged into the service you want to attack, but merely logged into the central service. Even worse, this fact is completely misrepresented to users. […] Another insecure ‘feature’ is the lack of need to enter a password to register for a site. Out of […] 3 OpenID vendors, only [one] asked users for a password when registering for a site, the other two had only CSRF protections. This is admittedly not particularly serious because you still need an XSS (or similar) flaw in the OpenID provider’s site before you can take advantage of the design idea, but it is rather worrying that people designing secure systems don’t seem to want to implement defence in depth.

As an example, the Tsyrklevich brothers at the recent Black Hat conference showed how using OpenID for online banking would allow attackers to wire money to their own account using a simple cross-site request forgery attack. They also provided simple sample code for several hijacking, spoofing, and phishing attacks.In sum, OpenID adds up to little more than simple password management with extra overhead and lots of security problems. As Marc Canter stresses: “if we’re to stop phishing, and spoofing and ID theft – we need severe crypto, locked down, secure ID systems.” Ben Laurie elaborates as follows: “The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. […] This is the root of the problem: if you want to protect anything of value, you have to do better than existing Web solutions. You need better client-side software. […] the best general way to handle this problem is through zero-knowledge proofs.” (Note: this is exactly what Credentica’s technology does.)

PRIVACY PROBLEMS

Second, OpenID suffers from fundamental privacy problems.

For starters, Tom Allen in “What’s broken in OpenID 2.0″ points out the following privacy problem: “In order to free up desirable userids, many large OPs recycle userids belonging to inactive accounts. If an OpenID is recycled, the new owner will be able to access the previous owner’s data if the RP is not aware that the OpenID has changed ownership. This is a very problematic issue for mainstream OPs. For example, if someone (unknowningly) uses a recycled OpenID to sign into Zooomr, the user may see the previous owner’s private photos.

Secondly, as Jan Miksovsky notes, OpenID’s claim on their site that “OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do—with a URI” sounds “dehumanizing and more than a little bit frightening.

These issues may not be of grave concern to many users. There is, however, a much more fundamental privacy problem with OpenID. In the words of Ralph Bendrath : “I have looked into it a bit closer now, and I just can say it sucks. […] Your identity provider is able to track all websites you log into. They even tell you it’s a feature. User profiling made easy! […] You have a unique identifier (your OpenID uri) for all relying parties, so you can’t choose between different cards or identities for different sites. Cross-sites profiling made easy! […] The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place – having to remember several logins, passwords and so on.

As a blog commentor puts it: “Is nobody of you guys concerned about the openid tracking capabilities? Who would wanna sign up with openid and let them know what websites you visit on a daily basis?The Tsyrklevich brothers sum it up as follows: “the IdP can spy on the user’s activity on the Internet as it is a central clearing place for all of the user’s logins.” Or, in the words of a blog poster with the pseudonym Mordaxus, OpenID is “a huge boon for anyone who wants to start tracking on the web. […] if you want to steal from people or invade their privacy, OpenID is for you.

In a piece called “Why OpenID is going to destroy the Internet”, Ilya Lichtenstein says: “I’m not the paranoid conspiracy-theorist type, but even I am terrified of what could happen if all of our actions on the Internet could be tracked to a single identity. Imagine Big Brother coming across an offensive post you made on an anti-government website, and then tracking you through every book you bought, every comment you made, every song you listened to. Don’t say that this is already possible with an IP address- it takes a court order to get a name from an IP address, but your creepy neighbor could easily stalk you from your OpenID. […] Anonymity is one of the strengths of the Internet that allows for so much free expression- without it, the Internet loses one of its key strengths. […] Imagine a key logger or trojan compromising your OpenID password because you logged in from an insecure public computer. Now, the hacker controls every element of your digital life- so much for using different passwords on different sites for security. Imagine an OpenID server being compromised- there go thousands of identities, full complete identities compromised with ease. OpenID would be a ripe target for hackers. […] And, finally imagine what OpenID promises- all of your online identities, connected and unified. Do you really want that?

Clearly, if OpenID were to be considered uses on a grander scale, the privacy implications would be enormous. As the author of a blog post titled “OpenID: A great thing… going amok?” puts it: “More than anything else, privacy and free will would be my biggest concerns. […] What I don’t like is being assigned an OpenID (or anything else for that matter). […] Personally, I was a bit peeved when WordPress turned this blog into an OpenID without ever asking me. […] Now, let’s take that to another level: an entire nation requiring citizens to use OpenID. The thought sets butterflies on a wild ride through my belly.

So much for privacy. Credentica’s technology, in contrast, provides ultra-strong privacy guarantees that are provided by design. These features, as do our multi-party security features, require more client-side intelligence than today’s standard Web browser. Even if OpenID were to embrace such client-side intelligence, however, its simplistic URL architecture would be fundamentally incompatible with privacy features such as untraceability, unlinkability, authenticated anonymity and pseudonymity, and minimal disclosure.

TRUST PROBLEMS

Third, there is the OpenID issue of trust (or rather, the lack thereof). The old OpenID site was quite explicit in this regard: “ What about trust? This is not a trust system. Trust requires identity first.” As the author of a piece titled “The OpenID Farce” objects: “Ummm, no. Actually, Identity requires trust first. Identity without trust is meaningless. […] OpenID is Yet Another Identity Transport System… without trust. […] an identity/trust system needs to convey that “‘This is Steve’ and I’ll back that up with $XX if I’m wrong” or “‘This is Steve’ by the authority of the State of California with all of the rights and responsibilities thereof”. […] If you can’t make that promise, don’t talk to my about ID.” Or, in Jeremy Schoemaker’s words: “There’s nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider.

Even for the trivial use cases that OpenID is used for today, this poses a major problem if OpenID were to gain in popularity. By way of example, a commentor at Slashdot notes: “Once this system is widely used, and spammers begin to register OpenIDs in huge numbers, how will site owners prevent spammy registrations? […] Blindly trusting OpenIDs and allowing them into a site, or giving them posting rights would be crazy. […] If [this problem] it isn’t solved we have a one-stop-shop for spammer IDs.

USABILITY PROBLEMS

Fourth, OpenID suffers from usability problems.

Neil Cauldwell in a piece titled “OpenID is too complicated” says: “I can log-in to any OpenID friendly site just by typing in ‘NeilCauldwell.com’. But do I ever use it? […] I’m already signed-up with all the services I use on a regular basis, and have a password manager that handles the usernames. In it’s current state, OpenID isn’t going to do much for me […] Why sign-up to OpenID when your favourite sites are bookmarked by the browser, and authenticated by a password manager? […] Even if they have an OpenID, [users] still need to create and fill-out a unique profile within each service they use. This means OpenID creates a double login procedure. As we already know, once is bad enough.

Jan Miksovsky notes: “The process of selecting an OpenID provider will stump the average consumer. […] Why would a site operator let anyone leave their site to perform a task from which they will never return? […] Currently, even those sites that do implement OpenID generally treat OpenIDs as a second-class form of identification. They put their own proprietary means of signing in (generally with a user name and password) on their home page, and bury the OpenID sign in facility behind a link. […] And all this is for—what, exactly? To save me from having to pick a user name and password? [….] I can’t imagine a sane business operator forcing their precious visitors through this gauntlet of user experience issues just for the marginal benefits that accrue to a shared form of ID. […] there’s no business of any size that can afford to direct their traffic down a dead end.

ADOPTION PROBLEMS

Fifth, while lots of organizations are jumping in to become OpenID providers, there are virtually no OpenID consumers.

Dana Epp writes: “I could care LESS if Six Apart or Technorati can be an OpenID provider. I don’t particularly have a lot of care or trust in them. I want these sites to trust MY provider… which in this case is my own corporate authentication server. […] I think that is getting lost with all these players.

Nik Cubrilovic in a piece titled “OpenID: Too many providers, not enough consumers” writes: “There have been a spate of announcements recently with a number of companies both large and small announcing that their products will ’support’ OpenID. […] All these OpenID support announcements and I am not getting anywhere with my OpenID. [….] it seems that while we have plenty of companies wanting to step up us providers (easy) and have their users use their OpenID’s with other applications, we don’t have enough companies stepping up as consumers of OpenID. […] it seems that OpenID is flavor of the month and everybody is jumping on for the ride (I could post ‘Burger King Supports OpenID’ and it would make the frontpage of digg). […] It seems that most of the justification for the big companies and other apps not wanting to be providers is so that they can protect their customer base and maintain a hold.

Microsoft’s Dare Obasanjo points out that this reluctance to become an OpenID consumer may well be a fundamental problem: “When you look at the long list of Open ID providers, you may be notice that there is no similar long list of sites that accept OpenID credentials. In fact, there is no such list of sites readily available because the number of them is an embarassing fraction of the number of sites that act as Open ID providers. Why this discrepancy? If you look around, you’ll notice that the major online services […] all provide ways for third party sites to accept user credentials from their sites. This increases the value of having an account on these services [which] increases the likelihood that I’ll get an account with the service which makes it more likely that I’ll be a regular user of the service which means $$$. On the other hand, accepting OpenIDs does the exact opposite. It actually reduces the incentive to create an account on the site which reduces the likelihood I’ll be a regular user of the site and less $$$.

Last, but not least, becoming an OpenID consumer means that another site (potentially a competitor, now or in the future) learns in real time which person is visiting at what time – potentially very valuable competitive information.

IMPERSONATION PROBLEMS [this section added on June 3, 2008]

As a consequence of the fact that an OpenID provider sees in real time which sites you log into, it also has the capability to log into any of these sites as “you”, possibly without you ever being able to find out. This is particularly problematic in cases of sites that would give access to personal account information following login via OpenID. Do you really want to give that much power to insiders at OpenID providers? Keep in mind that an “insider” may not just be unscrupulous management, but also a rogue employee, a virus, or a hacker with the proper privileges. [end of addition made June 3, 2008]

AVAILABILITY PROBLEMS

Still another concern is pointed out by the author of a blog called Internet Duct Tape: “The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. […] In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. […] if you use someone else’s openID server then you’re screwed.

PATENT PROBLEMS

What all of the above points at is that OpenID is lots of pain with little (if any…) gain. If that is not enough reason for concern, then perhaps the following issue is. This particular concern relates to OpenID’s claim that it is an “open, decentralized, free framework for user-centric digital identity:

The issue here is not so much the one that Neil Cauldwell points out: “If [users] sign-up to a service that only supports OpenID’s from certain servers, OpenID isn’t even open. At least with a proprietary sign-in process you be under no illusions that the username you created with service ‘x’ would work with service ‘y’. But if the big players decide to mess about with server authentification, your OpenID may or may not work at another site. This is where it becomes a complete mess.

No, the real issue is that various parties have made claims that OpenID is covered by their patents. One patent is mentioned at the Wikipedia page on OpenID, which mentions a pending USPTO patent application with PCT priority from Denmark of March 9 2001 that “covers the central aspects of OpenID.

Other patents may apply as well. Jeff Bohren says, “Dave Kearns […] talks about the patents that Sxip Identity has applied for which appear to cover OpenID. He relates that Dick Hardt assured him that Sxip Identity will be issuing non-assertion statements on OpenID soon. Of course I find it odd that a company would spend the time, effort, and money to pursue IP that they already don’t intend to enforce. […] the Sxip Patent Applications so far made public include […] these.

Chuck Mortimore, who used direct SXIP’s engineering efforts, statesI think its a gross mis-representation of the truth to say OpenId was based upon SXIP,” but that is not necessarily an indication that the SXIP patents do not cover OpenID.

Even if one were to take the position that the abovementioned patents are pre-dated by tons of prior art and/or are “obvious to those of ordinary skill in the art,” that may hardly be reassuring for sites that establish themselves as OpenID providers or consumers – they risk being presented at any time in the future with litigation threat for patent infringement. The “pledges” made by various players involved in OpenID that they will not sue for patent infringement do not prevent certain litigation scenarios from becoming a reality.

CONCLUSION

So, there you have it – why we’re not working to ensure that our technology works with OpenID: there are simply irreconcilable differences between the two. Now, mind you, it IS possible to do a drastic overhaul of OpenID so that it will be possible to provide multi-party security and privacy. Doing so would amount in essence to discarding most of the OpenID work, keeping only the notion that in some cases it might be useful for individuals to facilitate “identity provider discovery” by providing a URL. The reality is that at such a point we’re not talking about an improved OpenID system anymore, as the use of a URL for IdP discovery would pretty much all that would remain.

 

Open ID: The Perfect Idea with Not So Perfect Results

OpenID was a great idea in the beginning. However, not everything that was intended to be a good thing turns out perfectly. OpenID was meant to save users time and browse the web more efficiently. OpenID made a promise to users that they would have the ability to explore new websites without having to create a new account with a new website while also having a single, consistent identity throughout the World Wide Web.

OpenID made a promise to users that they would have the ability to explore new websites without having to create a new account with a new website while also having a single, consistent identity throughout the World Wide Web, but it was just too complicated to use.

It was a promising idea, but…

With more than 50,000 websites that supposedly support the use of OpenID with more than a billion of users, hardly anyone actually utilizes it because of the fact that it was complicated to implement. Each website uses OpenID differently, which ultimately confuses the masses. Therefore, people may have it but rarely use it.

Facebook is the main catalyst to why OpenID has been pushed under the rug. Facebook Connect does nearly the exact same task as OpenID. The difference is that Facebook does it considerably more effectively. People recognize and are familiar with Facebook, therefore, making it much easier to understand.

OpenID may sound as if it’s “knocking it out of the part” with its 50 something thousand supported websites and a billion or so users. However, Facebook has numbers doubled that. What’s most impressive is that Facebook has been around less than half as long as OpenID. Facebook’s main advantage is its brand. Practically everyone with an internet connection has a Facebook account these days. With Facebook Connect, you can create a new profile on whichever website you’re trying to join utilizing your Facebook details, and you have this ability to do so with well over 250,000 websites.

Lack of Security Detail

Another issue that OpenID poses is its lack of security detail. The way a user chooses to authenticate their ID is completely in their hands. Therefore, there is no set level of security. This can pose problems while using the OpenID because it can potentially put users at risk of having their ID hacked. However, there is a lot of development going on with the OpenID Provider Authentication Policy Extender, or PAPE for short. These new developments will assist website owners to detect the providers they can trust by assessing their means of authentication the user utilizes in order to gain access. Hopefully, these new developments will help form a strong security protocol with OpenID.

For now, Facebook is in the lead with their ability to allow internet users to use their Facebook information in order to sign into or sign up with new websites. However, the is potential for OpenID to at least become equal with Facebook. We’ll just have to see how their new developments pan out.

Google’s Cloud Identity Management Services for Developers

Big technology players are vying to be the first over the finish line for universal security. It’s a vast global market with billions of devices and users as the end game. Google is taking advantage of its dominating internet position by setting comprehensive security standards. Google’s cloud security initiative has been constructed to satisfy the growing demand by consumers, for better security in their digital lives.

Google's cloud security initiative has been constructed to satisfy the growing demand by consumers, for better security in their digital lives.

Tech giants realize security must come first with any modern code being created. Companies are rushing to bring legacy systems up to industry guidelines. Customers must depend on their screens, no matter if it is a mobile device or desktop. Without complete confidence at login, consumers will turn off in pursuit for alternatives.

Google’s cloud identity management service will be an ongoing company effort. Millions of apps accessing Google’s cloud platform have a fresh collection of identity management tools. Googles new security initiative offers identity protocols for app builders with a drop-in service.

Introduction to Google’s Cloud Identity Management Services

Google’s Cloud Identity Services adds management functionality and identity access for clients and business partners. The protocols aim is to secure user accounts better going forward. Google is just a small number of tech giants that can develop a set of protocols which the entire digital industry must consider following.

The moniker for the new service is Google Grade Authentication. CICP wants app builders to use Google as a partner in their pursuit for security. Google wants to be the security foundation. Developers can utilize vast information resources from the internet giant. Apps can be shielded from being a takeover target. App builders, associated with Google security, can scale their offerings to a global market.

Google has made several announcements this year to boost identity and security protocols. Administrators now have a comprehensive lineup of third-party apps to rely on, along with Google. A significant boost to the service is context-aware identity management. The protocol authenticates a user’s location and the context of the request.

Developers and CICP

Google’s next stage of their cloud identity service is in Alpha release. The company has designed identity and access management as an ongoing service. There are a number of components and benefits to the service. Google, along with other tech giants are finally taking identity management seriously.

  • User authentication is based on Firebase, a mobile and web application Google purchased in 2014. Developers can integrate user identity specifications, based on the SAML and OpenID industry standards
  • There is wide-ranging support for the new service. Developers can incorporate their apps into several client-side platforms, including Android, IOS and web access. Along with server-side platforms Node.js, Java, and Python.
  • CICP is self-contained. Developers drop the service into their application to take advantage of Google’s security capabilities.
  • Once the service reaches general release, two-factor authentication will be possible. Multi-factor authentication for mobile devices has become more reliable. Mobile devices are now more dependable than in the past. Hardware includes GPS, microphones and advanced sensors to keep track of users.
  • The CICP service integrates Google’s threat intelligence protocol. This helps to identify accounts that have been acting with a suspicious nature or have been compromised.

CICP satisfies the security demands of mobile device makers and web-access applications on a global scale. Apps having thousands of logins daily, cannot allow accounts to be compromised. Hackers no longer attempt to break into software by rewriting code or brute force attacks, they log in.