I wanted to write about this for a long time. A wait in the doctor’s office has its uses …
Here is an example scenario from the real world:
Like many schools these days, my son’s school has a website where teachers enter current assignments and grades, and students and parents like me can check on student progress. Of course, access to any one student’s information must be limited to those people who are allowed to see it, such as his teachers, the student himself and his parents. To solve this problem, at the beginning of the school year the school provisions an account for each new student, and an account for his parents, and assigns a username and a password to each of them. Then, the school prints out a sheet with the account names and passwords and hands it to the student, who is supposed to not show it to anybody and give it to his parents.
Yeah, right. If your kid is anywhere like mine, both of these “supposed to” are major hypotheses with wholly uncertain outcome.
Even if the sheet eventually reaches me, I now need to remember a new username that I don’t relate to (some funny number, the school can’t know what I usually call myself on-line) and yet another password.
Unfortunately, this anti-pattern of provisioning an account with a credential and then distributing account identifier and credential to the supposed user is very widespread. Just think of banks: “Here is your new account number and you’ll receive the PIN in the mail”. While the postal service is undoubtedly more reliable in delivering the credential to me than a middle schooler is, having the (necessarily unencrypted) credential traverse via an essentially unsecured (and unreliable) channel is the same, avoidable problem.
The solution? It’s an underappreciated feature of OpenID that allows us to turn this situation around:
Let’s say I have an OpenID; most people do these days, whether they know it or not. When my kid registers for school, I not only hand over information about my name and address and emergency contact information as I do anyway, but also my OpenID. There is nothing secret about that OpenID, so there is no problem. The school provisions the account, adding my OpenID to the Access Control List. That’s all. No new username, no new password.
Using OpenID, I now can securely access the account, nobody else can, my kid does not need to deliver any confidential information, and I don’t need to remeber any more usernames and passwords. And the school does not need to print sheets, reset passwords and help all those parents who, mysteriously, never received the sheet with the usernames and passwords because it was thrown out with the lunch wrapping paper or grabbed by some other kid when mine wasn’t looking.
Same thing for the bank. Which is more secure: letting me access my banking account with my, say, Yahoo OpenID, or sending me my password in the mail? Thought so …
Time to get rid of the credentialed account provisioning anti-pattern.