OpenID Connect: In a Nutshell

profile picture Elly Heath 4 min read

There is a lot of information available about OpenID Connect (OIDC). A quick search online and it’s easy to get lost in technical jargon and still be left clueless as to what it actually is and if it could be useful for your business. 

In this blog, we cut through the noise and break it down for you.

How did OpenID Connect come to be?

Less than a decade ago, businesses in the online retail, search and social media spaces required you to set up an account and your details were stored. 

This created two problems: you had to sign up on every website (and remember those credentials for the future), and in the online retail world, customers would often fill their baskets but not checkout due to the effort of having to create an account. Not to mention the administrative and security risks for businesses of storing customer information.

Enter OpenID Connect.

What is OpenID Connect?

Launched in 2014 by the OpenID Foundation, OIDC lets you use single sign-on (SSO) to access multiple sites using OpenID Providers. For example, logging in to Spotify using your Facebook account credentials. 

OIDC is the third generation of OpenID technology and is now the leading online interface to achieve multiple domain SSO and prove your identity. 

OIDC is web and mobile-friendly, as well as API friendly. If you’re interested in learning about the technical details, you can find more information about how it works here

Some of the biggest brands are providers of OIDC, including Google, Apple, Microsoft, Facebook, X and Spotify. Any company who needs to capture customer credentials online and is keen to reduce barriers for users, should consider if OIDC is right for their business.

Let’s take a closer look at the benefits to both users and businesses. 

Benefits of OpenID Connect

The main benefit for users is reduced time and effort in having to set up multiple accounts (and remember all those passwords!). You can visit the same website many times or navigate seamlessly across numerous websites without needing to sign in every time – particularly benefiting retail businesses with reduced barriers at the point of sale. 

There may also be a feeling of trust for some users when interacting with a business for the first time if they can use their pre-existing credentials. This benefits businesses as they can rely on the trust users have in third party well-established brands in the space. 

There are some drawbacks to OIDC to be aware of too.

Possible cons of OpenID Connect

To be effective, businesses are relying on users being willing to use OIDC in the first place. Users are increasingly aware of their online footprint and so may be wary of logging in with their social media credentials for example, thinking that they are sharing their entire profile. People are more cautious than ever before about businesses gaining access to their personal information and exploiting it.

The authorisation of OIDC could also come into question in some circumstances. For instance, when you log in with Google: 

  1. If you’re already logged in to Google in the same browser that you’re asked to “log in with Google” (on another website), you won’t be asked to enter your password again 
  2. If you aren’t already logged in to Google, the other website will you ask for your password to prove its you

 

With option 1, anyone with access to your laptop or mobile would be able to browse online via your credentials, without being asked for a password. 

 

And there you have it – OpenID Connect in a nutshell. If you have any other questions about OIDC, please get in touch.

Keep reading

Why automated technology with human fallback provides optimal results

Some identity providers claim that fully automated processes are the way forward. Whilst we agree that technology can improve and streamline processes, there are times when it’s valuable to have a human involved.  Every business we talk to has different requirements for identity verification. This could be because of differing laws and their application in different regions, a varying risk appetite or wanting to ‘do the right thing’ to engender trust and increase success rates.  When it comes to identity verification technology, there might be some scenarios where it’s helpful to use the skills of our security team. For instance:

3 min read

Report: The importance of accessible and inclusive identity verification

A recent YouGov survey of 2,000 GB adults found that 69% have proved their identity online using a physical document. Of those, 71% found the process easy to use.  Whilst almost half (47%) said they would prefer to prove their identity online, 26% said they would prefer to do this at a Post Office. One in five (20%) expressed no preference. With more services moving online, identity verification needs to be as accessible and inclusive as possible.  Through our partnership with Post Office, we are making strides to ensure our solutions cater to as many people as possible. We offer

2 min read
Father and son using devices together

Asking the FTC to approve facial age estimation for verifiable parental consent

Together with the Privacy Certified program of the Entertainment Software Rating Board (ESRB) and SuperAwesome, we are asking the Federal Trade Commission (FTC) for approval to implement facial age estimation as an authorised method for verifiable parental consent (VPC). The Children’s Online Privacy Protection Act (COPPA) requires companies to ensure they are not collecting personal data from children under the age of 13 without a parent’s consent. Currently, the COPPA Rule enumerates seven, non-exhaustive methods that enable parents to verify their consent. These include verification by government ID, credit card transaction, and a method that involves facial recognition, which is

3 min read