[thelist] [OT] OpenID
Jim Puls
jim at nondifferentiable.com
Tue Mar 24 13:41:54 CDT 2009
On Mar 24, 2009, at 3:48 AM, Jack Timmons wrote:
> On Tue, Mar 24, 2009 at 4:55 AM, Lee Kowalkowski <
> lee.kowalkowski at googlemail.com> wrote:
>
>> I've only seen it used on stackoverflow.com, which is even a headache
>> for a user if you don't habitually authenticate with one of their
>> OpenID providers whenever you surf.
>> --
>> Lee
>>
As somebody who has implemented a site (http://embedit.in) that uses
OpenID as its exclusive authentication mechanism, maybe I can chime in.
The way I see it, "if you don't habitually authenticate with one of
their providers" is a non-starter. The number of people on the web
without a Google account, a Yahoo! account, an AOL account, a
Wordpress account, a Livejournal account, or a Blogger account is
pretty vanishingly small, is it not?
> I gazed over the specs and that's exactly what happens.
Well, mostly. The client doesn't give you an email, they give you a
URL, so there's no real step of "figuring out where to send them".
> Personally, I wouldn't even bother with it. I think it's a case of
> "good
> ideal, bad implementation".
More accurately, "good idea, bad user experience". Giving somebody a
box to put a URL in will scare away all but the most hardcore of
Internet users, and it's no surprise that sites that have done this
are finding limited returns. Stack Overflow does it a bit better,
giving you an "Alternatively, click your account provider" section of
the login form. I haven't yet found a better interface than the way
RPX (http://rpxnow.com) does it, though I might roll my own soon.
If you want to use both, I haven't seen a better interface than the
way UserVoice (http://uservoice.com) does it.
> Why can't I just have a page I can CURL from the
> server to authenticate from? Instead of redirecting them (adding no
> less
> than two extra steps to a login process that takes only one if I
> don't use
> it), I could just use the feedback from there.
Because now the user has to give you their password, which makes the
whole thing less secure. Remember, you're asking them for a credential
from a third-party site. Do you really think Google would let you ask
a user for their Google password in order to log in to your site?
> We're trying to design a site so the user goes through as little
> steps as
> possible to get what they want, and redirecting them from our site
> just to
> support OpenID is useless, especially since our signup process
> itself takes
> as many steps.
If your signup process has multiple steps, why can't the first one be
"click one of these buttons to get started"? How much information do
you need from them? If it's stuff like their name and email and
location, you can frequently get that from the OpenID provider, making
the process *easier*, not harder.
> Give me something that acts more like Gravatar, in which I, as a
> user, only
> have to provide my email address. I'm always surprised to see my
> avatar pop
> up on sites that use it. It's a good thing.
Yes, it is, but it's unauthenticated and public. It has no need for
any type of security measures. You're comparing apples and oranges.
The biggest benefit, as far as I see, is that once the person using
your site logs in using OpenID for the first time and clicks the
"remember me" checkbox on the provider's page, then future logins are
a matter of one click. If you're not convinced yet that you're in over
your head if you aim to provide real security via a username/password
authentication mechanism of your own, maybe you should read about what
happened to Twitter:
http://blog.twitter.com/2009/01/monday-morning-madness.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125239
http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
-> jp
More information about the thelist
mailing list