OpenID may be the most promising step toward a universal sign-on system, but for all its momentum, serious obstacles remain. 'The most visible and highly evolved manifestation of the user-centric ID movement,' in less than three years OpenID has reached half a billion users. A number of major tech companies, including IBM, Google, Microsoft, VeriSign, and Yahoo! have joined the OpenID Foundation board. The main problem facing OpenID is that despite its popularity, most websites are willing only to provide OpenID capabilities, but not to recognize accounts created elsewhere. And OpenID will only succeed if it is universally accepted. Its basic operation relies on creating a unique URL associated with a user. That URL is then entered into the sign-in field of another site, which uses the link to access authenticating information via the Diffie-Hellman key exchange protocol. Any single sign-on technology increases the risks of phishing and false identities. Thus, OpenID is unlikely, without additional layers of security, to be used for sensitive transactions. A number of efforts to bolster single sign-on security are underway, including the Security Assertion Markup Language, the Higgins Project, and Microsoft's CardSpace. Yet currently there's no governance or accountability to regulate the technology. According to Brad Templeton of the Electronic Frontier Foundation, the key lies in tapping the negotiating powers of the market. The tremendous value of demographic data needs to become a currency by which consumers gain access to services and discounts. In that case, the credibility, momentum and growth of OpenID could finally realize its potential.