Is OpenID the Solution to Online Identity Theft?

In March, Dubner and Levitt tackled the realities of identity theft. Now, with phishing scams getting ever cleverer, state government databases leaving sensitive private information accessible to the world, and identity thieves expanding their schemes into Web giants like Facebook, it’s worth asking: how will the problem of identity theft be solved?

Technology innovators have been plugging away, of course, to develop programs that safeguard sensitive information from prowling hackers. One product touted as a possible solution is OpenID, an online protocol that manages a user’s web identity by offering single sign-on for any participating Web site. Surfers never have to enter a username or password to access sites that demand registration, and can navigate between different sites without logging in or out — the equivalent of an online driver’s license. While the program has yet to hit the mainstream, reports estimate that it and similar products are “two to five years away from mainstream adoption.”

On its face, OpenID seems to offer solution-oriented options for managing identity, like allowing users to identify themselves as part of a demographic (i.e. “35-year-old single man in financial services”) instead of typing in birth dates or employment information during registration. Users can add plugins for extra protection like the “SeatBelt Extension,” which lets you know that you’re visiting phishing site like this one. Other benefits include an automatic age verification system for purchases (making online liquor stores a possibility in the U.S.) and the erection of additional spam barriers (though, as countless filters have found, the spammers find a way).

Fans of OpenID have leaped on its bandwagon, including online giants like AOL, Microsoft, and VeriSign, all of which publicly endorse the product. Dick Hardt, the CEO of the Internet security firm Sxip Identity, called it “the next generation of how we manage identity on the Internet.”

Still, the concept has one glaring weakness that even a non-computer science expert can figure out: reduce the number of names and passwords you use on the Internet, and you reduce the amount of information a thief needs to steal. This line of thinking led online security giant Ben Laurie to famously dub OpenID a “Phishing Heaven.” Mike Neuenschwander, vice president and research director of identity and privacy at the
Burton Group, explained Laurie’s logic as follows: “Today, phishers have to set up a site that mimics a legitimate site a user frequents, and then trick the user into offering credentials and other information. With OpenID, such mimicry isn’t even necessary — the user need only be motivated to log into a site using an OpenID.”

With pro and con arguments flying back and forth, the protocol has become a polarizing force in the technology community, as tech bloggers take sides and rarely miss an opportunity to sound off on the debate. Respected figures like Laurie are working with the OpenID community to help solve its problems, but in the short term, this supposed I.D. theft solution won’t be revolutionizing the Internet any time soon.

What does it all mean for the average consumer? As Dubner and Levitt pointed out in their column, almost three-quarters of identity theft victims incur no damages from the crime. Still, until the security community can reach a consensus, it’s worth triple-checking every time you enter your name and personal information into a “Sign In” box. Even if the site looks like CNN.