[thelist] [OT] OpenID

Jim Puls jim at nondifferentiable.com
Tue Mar 24 13:41:54 CDT 2009 

On Mar 24, 2009, at 3:48 AM, Jack Timmons wrote:

> On Tue, Mar 24, 2009 at 4:55 AM, Lee Kowalkowski <
> lee.kowalkowski at googlemail.com> wrote:
>
>> I've only seen it used on stackoverflow.com, which is even a headache
>> for a user if you don't habitually authenticate with one of their
>> OpenID providers whenever you surf.
>> --
>> Lee
>>

As somebody who has implemented a site (http://embedit.in) that uses  
OpenID as its exclusive authentication mechanism, maybe I can chime in.

The way I see it, "if you don't habitually authenticate with one of  
their providers" is a non-starter. The number of people on the web  
without a Google account, a Yahoo! account, an AOL account, a  
Wordpress account, a Livejournal account, or a Blogger account is  
pretty vanishingly small, is it not?

> I gazed over the specs and that's exactly what happens.

Well, mostly. The client doesn't give you an email, they give you a  
URL, so there's no real step of "figuring out where to send them".

> Personally, I wouldn't even bother with it. I think it's a case of  
> "good
> ideal, bad implementation".

More accurately, "good idea, bad user experience". Giving somebody a  
box to put a URL in will scare away all but the most hardcore of  
Internet users, and it's no surprise that sites that have done this  
are finding limited returns. Stack Overflow does it a bit better,  
giving you an "Alternatively, click your account provider" section of  
the login form. I haven't yet found a better interface than the way  
RPX (http://rpxnow.com) does it, though I might roll my own soon.

If you want to use both, I haven't seen a better interface than the  
way UserVoice (http://uservoice.com) does it.

> Why can't I just have a page I can CURL from the
> server to authenticate from? Instead of redirecting them (adding no  
> less
> than two extra steps to a login process that takes only one if I  
> don't use
> it), I could just use the feedback from there.

Because now the user has to give you their password, which makes the  
whole thing less secure. Remember, you're asking them for a credential  
from a third-party site. Do you really think Google would let you ask  
a user for their Google password in order to log in to your site?

> We're trying to design a site so the user goes through as little  
> steps as
> possible to get what they want, and redirecting them from our site  
> just to
> support OpenID is useless, especially since our signup process  
> itself takes
> as many steps.

If your signup process has multiple steps, why can't the first one be  
"click one of these buttons to get started"? How much information do  
you need from them? If it's stuff like their name and email and  
location, you can frequently get that from the OpenID provider, making  
the process *easier*, not harder.

> Give me something that acts more like Gravatar, in which I, as a  
> user, only
> have to provide my email address. I'm always surprised to see my  
> avatar pop
> up on sites that use it. It's a good thing.

Yes, it is, but it's unauthenticated and public. It has no need for  
any type of security measures. You're comparing apples and oranges.

The biggest benefit, as far as I see, is that once the person using  
your site logs in using OpenID for the first time and clicks the  
"remember me" checkbox on the provider's page, then future logins are  
a matter of one click. If you're not convinced yet that you're in over  
your head if you aim to provide real security via a username/password  
authentication mechanism of your own, maybe you should read about what  
happened to Twitter:

http://blog.twitter.com/2009/01/monday-morning-madness.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125239
http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

-> jp

More information about the thelist mailing list