How OneID works: The basic concepts

OneID was designed to be the ultimate digital identity: a digital identity that you could use anywhere for anything.  The best technology to replace the use of username/passwords. Authentication, authorization, information sharing, digital claims, identity proofing, user and RP defined attributes and certificates, and more. One identity to rule them all. The world's most trusted cloud identity provider. That is the OneID vision.

In order to achieve these goals, we had re-invent identity from the ground up. In particular, OneID does two things very differently than pretty much any other identity system that you have ever used:

1.       We use digital signatures instead of usernames and passwords. When you sign into a website using OneID, you will be presenting the site with your digital signature, not a username or password. Digital signatures are like traditional paper signatures: easy for you to create, easy for anyone to verify, but impossible for anyone else to forge. They are very easy to use (you just press a button and your browser does the signature for you), and much more secure than usernames and passwords.

2.       We store your identity on your devices. OneID stores the numerical secret for creating your digital signature (known as your "private signature key") in the HTML 5 local storage of your browser. This means that your identity can never be used without your express consent and involvement. So you no longer need to worry about your security when a big website gets broken into and all the passwords are exposed.

Here’s a very simplified explanation the four basic OneID operations:

1.       Create a new OneID. When you create a OneID account, it creates a unique digital signature  and stores it in the local storage of your browser.

2.       Sign into OneID on your browser. Storing your identity in your browser also makes it very easy for you to sign into OneID. You just go to OneID.com, click the "Sign In" button, and pick your name from a list of names. It's analogous to signing into your desktop or laptop computer. For extra security, you can require that OneID prompt you with a password (if you chose to define one for your account) or require that OneID get confirmation from the OneID app on your mobile phone. The security level required for log in can be set differently for each computer that you own. You have it your way: greater convenience or greater security. What's nice is that if you choose to ask for a password, you have a 2-factor login which is immune to keylogging and phishing. But it is as convenient as a 1-factor login. So you get the added security, without sacrificing any convenience.

3.       Sign into a website. You can only use OneID to sign into websites that have been modified to support OneID. You'll see a OneID "Sign In" button on these sites. When you click the button, the website asks your browser to digitally sign that sign in request. You browser will use your private signature key to digitally sign the request and send it back to the website. The website then compares that digital signature with the signature it has on file for you, and if the signatures match, you will be signed in. It's just like going to the bank, signing a check, and having the teller compare your signature with the signature they have on file before they give you the money. All this happens under the covers. All you know is you clicked a button and were securely signed in. If there is no signature on file for you, the website will create a new account for you, and keep a copy of your signature on file for when you log in in the future. If you already have a "legacy" (username/password account), the website will offer to link your OneID identity to your existing account. It uses your email address to find a matching account (and it will prompt you for your username and password one last time before linking to an existing account). After the accounts are linked, you can log in either using your username and password for that site, or by clicking the "OneID Sign In" button on the site. We think you'll always use OneID.

4.       Add another device. When you want to use OneID on a new device, you select the option on the Sign In page to "Add OneID to this device" (it's obscured by the drop down in the image on the right, but trust me, it's there). This will display a QR code on your browser. Scan it with the OneID Remote app on your mobile phone and the secrets to your OneID identity will be securely copied from your OneID Remote app into the local storage of the browser you are currently using. From that point on, your new device can be used with OneID. If it is a temporary device (like a public terminal), you can remove your identity when you are done.

Now that you understand the basics, here is a link to the detailed version of how OneID works which addresses issues of privacy, account security, lost devices, secure information sharing, account recovery, and more and explains in greater detail how OneID works.

For more information, see the OneID documentation guide.