Only three weeks ago, an article about OpenID on this website might have seemed overly niche. However, announcements from Microsoft, AOL and digg over this period have propelled the authentication system into the mainstream.

OpenID is a system for verifying your online identity to the web services that you use. It is decentralised, in that anyone can set themselves up as an OpenID provider and open, as in open-source. At this week's Future of Web Applications conference in London, Simon Willison spoke on the subject and this article is largely based on his presentation.

OpenID is interesting and useful in that it offers a means for a person to identify themselves to many different services using the same log-on, without sharing his or her password with any of them. Users provide a URI instead of a username: this might be connected to the identity provider they use, such as http://myname.myopenid.com or can be delegated to any website they have control of such as http://myblog.blogger.com.

Arguably, the main problem addressed by OpenID is the issue of users having dozens of log-on names and passwords, and the security vulnerability linked to that of almost inevitably using the same logon and password for multiple services. Single sign-on, the ability to log-in once to access all your web services seems almost within reach, thanks to this innovation. A further benefit is that it allows users to decide for themselves who holds their log-on details. It also helps to avoid the security vulnerability attached to using email for password retrieval, though it suffers from other vulnerabilities of its own, to be discussed later.

When you visit a site that supports sign-on through OpenID, you simply supply your identifying URI. The site then refers you back to your identity provider and this is where you fill in your password to confirm that you are who you say you are. You can then decide whether to authenticate yourself with the service you're using just once or forever. Having done this, your ID provider sends you back to the service you're logging on to with a confirmation order to let you in.

The second way in which OpenID can help is with registration forms. If you use a lot of web services, and sign up for new ones on a regular basis, it's likely that you will already be suffering from registration-form fatigue. Some identity providers, such as MyOpenID.com and ClaimID.com, provide means to add attributes to your OpenID, such as your name, address and birthday, and to automatically fill registration forms once your identity has been verified.

From the perspective of web developers, one advantage of OpenID is that it encourages potential users to be more likely to try out new services. With the psychological barrier of yet another log-on and password to remember removed, the likelihood that people will try out your service is increased.

There are already a number of OpenID providers available. The service is free and doesn't belong to these providers. In fact, you can download the necessary libraries and run your own server if you are especially paranoid about your security.

1. LiveJournal
2. Vox
3. VeriSign Labs
4. MyOpenID

And those announcements? Microsoft announced its support for the format on February 6th; AOL on February 15th; digg on February 20th. During the same period, it's also emerged that by using your OpenID server as a proxy, you can use it to log-in to non-compliant services such as Yahoo! accounts.

So are we headed for an OpenID world? Some possible issues will probably have already occurred to you:

1. Not very many services currently offer the OpenID method of verification. Aside from Livejournal and Vox, there is the social bookmarking service magnolia, photo-sharing service zooomr and travel information site Wikitravel. And there's Jyte.com. And err... that's it.
2. People have tried and failed to create a unified log-on in the past. Remember Microsoft Passport? The issue was that it required users and service suppliers to trust all their details to one company. OpenID is somewhat different in this regard, since you get to choose who you want to trust.
3. What happens if your OpenID provider is hacked or becomes evil? Doesn't this system provide a single point of weakness? True; but consider the current situation. Because many people use the same email address and password for their log-ons, that constitutes multiple points of weakness which will allow access into lots of other services. Choosing your identity provider is indeed a serious business, though.
4. I don't want a single identity. Willison paraphrased this as 'I don't want my boss to know I'm a furry.' People may well want different identities depending on whether they are representing themselves in their professional role, or as a private consumer, or as a gamer. And there's absolutely no reason why people shouldn't create multiple identities, just as people have done since the birth of the web. OpenID gives us a way to rationalise the number of these, though, so you can limit the number of passwords that you need to remember.
5. OpenID is susceptible to phishing attacks. It is relatively trivial to fake the authentication page of your ID provider. Certainly, OpenID is not offered as some sort of panacea for online security, and those who fail to observe basic guidelines to avoid such attacks will indeed suffer. It's more about convenience than anything else. However, integration of OpenID into the Microsoft Cardspace protection against phishing will provide a better level of protection against such attacks for many Windows-using consumers.
6. The main problem faced by OpenID, though, is that it is quite tricky to explain and until you've signed up and used the service between a couple of providers, it's not quite apparent what the benefits are.

While there are numerous issues that might be identified with its implementation, the problems addressed by OpenID are arguably considerable enough to make it likely to succeed in any case. What remains to be seen is whether this relatively complex idea can be communicated with sufficient clarity for it to cross the chasm into the consumer space.