What OpenID Can Do for Academic Publishers

OpenID is a free, decentralized system for managing your identity online. What does that mean? It’s easy to explain by example.

Right now you probably have dozens of accounts on different Web sites. It’s likely that you use the same (or similar) user names and passwords on all of them. OpenID solves the problem of creating nearly-identical accounts on different services, and also allows you to control how much personal information you provide to each service that asks for your OpenID.

What makes OpenID interesting in the publishing community is that it distinguishes between two concepts that are often conflated:

  1. Identity: Who am I?
  2. Authentication: What do I have access to?

Traditional user name and password schemes are used for both purposes, but they are actually quite different.

Identity only — When I shop at Amazon.com (assuming I’m not boycotting it), I only need to provide my identity. I don’t need any special permission to access Amazon’s search and browse features. What I do want to protect are my account information and shopping cart, but arguably those belong to me, not Amazon.

Identity and authentication — When I want to post to the TOC blog, I need to provide both types of credentials: identity, so the blog software can put my name under my post, but also authentication to prove that I’m a registered contributor. If you write a comment to this post, you’ll only be asked to provide identity.

Authentication only — The third case — authentication without identity — is common in subscription-based journals and research material. I can go to the Boston Public Library, sit at a terminal, and get access to hundreds of online resources in the deep web that aren’t available to the general public. The library has paid for the right to access the resources, but those sites only need to know that I’m authenticated through an institutional subscription, not who I am as an individual. This is the correct default behavior, and it’s admirable that librarians fight hard on behalf of patrons to explicitly protect users’ identities.

This leaves academic and journal publishers without an obvious way to offer their users some of the benefits of identity-based systems: bookmarking, tagging, annotating, and sharing. One solution is to build another layer of access control: first I authenticate, either by using a library terminal or entering my library card number, and then I identify myself with yet another user name and password. Only then do I get the ability to save searches, bookmark documents and possibly share those with other authenticated users of the resource.

Publishers could instead use OpenID to handle identity management in these products. Compared with building such a system from scratch, OpenID is inexpensive and is already fully-implemented in many programming languages.

Users benefit in several ways: they don’t have to create a new account and remember another set of credentials, and now they have new options for personalizing their research experience. It also opens up the possibility of tying together saved resources across multiple products owned by different publishers, similar to some types of citation management software.

Currently, signing up and using OpenID can be a bit confusing for novices, but the user experience is expected to improve. In the near future it’s likely to be largely opaque to end-users, who will only need to know that their identity is managed by a source they already trust.

One last point that’s relevant to library users: an OpenID account can still provide anonymity. There’s no requirement or guarantee that my OpenID account name has anything to do with my legal name. It’s likely that many users will have multiple OpenIDs in the same way that people use throwaway email accounts when registering on Web sites. However, the onus is still on the end-user to be careful where and how they distribute their personal information.

tags: , , , ,