Just over a year ago I discovered a vulnerability in Northwestern University's centralized authentication system. It would have allowed an attacker to steal a person's username and password, if the attacker could get the victim to authenticate using a specially-crafted URL. I probed and saw other details about the system that raised my hackles.
Thinking back on the authentication system's design, I have realized that
Northwestern could easily push forward into the 21st century by implementing
the system using OpenID. All Northwestern users would then be able to
authenticate anywhere on the internet (that is, anywhere that supports OpenID)
using a Northwestern URL such as
OpenID is an authentication system that doesn't require me to give a site my
username and password in order to log in. Let's see how this works in
practice. For this example,
http://id.northwestern.edu/kurtmckee is my
OpenID URL, the OpenID service is called IDea, and I'm wanting to authenticate
at a brand new Northwestern service called Hostel.
I visit Hostel and tell the site that my OpenID URL is
http://id.northwestern.edu/kurtmckee. This is the only information that I provide to Hostel in order to log in!
Hostel redirects me to
id.northwestern.edu/kurtmckeeand includes information that lets IDea know how to tell Hostel whether I've authenticated at IDea or not.
I give IDea my username and password. If my username and password are correct, IDea redirects me back to Hostel and informs Hostel that I logged in correctly. Hostel then treats me as a logged in user.
About Northwestern University
Northwestern is a Big 10 school with thousands of users. Although OpenID does not deal with identity, Northwestern is in the unique position to link authentication with identity. Further, it has the ability to give its users the immediate benefit of an OpenID URL that can be used all over the internet.
I hope Northwestern takes the ball and runs with it; this would be an incredible step towards giving its users true value.