[thelist] [OT] OpenID

Jack Timmons jorachim at gmail.com
Tue Mar 24 15:25:32 CDT 2009


On Tue, Mar 24, 2009 at 1:41 PM, Jim Puls <jim at nondifferentiable.com> wrote:

>  The number of people on the web without a Google account, a Yahoo!
> account, an AOL account, a Wordpress account, a Livejournal account, or a
> Blogger account is pretty vanishingly small, is it not?


True.


> Well, mostly. The client doesn't give you an email, they give you a URL, so
> there's no real step of "figuring out where to send them".


Didn't know that. Might have found out if I read more, but who reads these
days, anyway? If I were to defend myself, I wrote that 18 minutes after
waking up from a few hours sleep, and I'm not the type to get by with only
that.


> More accurately, "good idea, bad user experience".


That statement was based off the person explaining it to me. I should have,
of course, realized that the person explaining it was a horrible source.


> Giving somebody a box to put a URL in will scare away all but the most
> hardcore of Internet users, and it's no surprise that sites that have done
> this are finding limited returns. Stack Overflow does it a bit better,
> giving you an "Alternatively, click your account provider" section of the
> login form. I haven't yet found a better interface than the way RPX (
> http://rpxnow.com) does it, though I might roll my own soon.
>
> If you want to use both, I haven't seen a better interface than the way
> UserVoice (http://uservoice.com) does it.


That was the main downside for us: Not wanting to go find all the URLs we
might need to include.

I will admit, though, at this point I'm considering giving it a shot on one
of my own sites I plan on coding here soon.


> Because now the user has to give you their password, which makes the whole
> thing less secure. Remember, you're asking them for a credential from a
> third-party site. Do you really think Google would let you ask a user for
> their Google password in order to log in to your site?


This I wholly attribute to previous excuses.


> If your signup process has multiple steps, why can't the first one be
> "click one of these buttons to get started"? How much information do you
> need from them? If it's stuff like their name and email and location, you
> can frequently get that from the OpenID provider, making the process
> *easier*, not harder.
>

> The biggest benefit, as far as I see, is that once the person using your
> site logs in using OpenID for the first time and clicks the "remember me"
> checkbox on the provider's page, then future logins are a matter of one
> click. If you're not convinced yet that you're in over your head if you aim
> to provide real security via a username/password authentication mechanism of
> your own, maybe you should read about what happened to Twitter:
>
> http://blog.twitter.com/2009/01/monday-morning-madness.html
>
> http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125239
> http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
>

What I can see from the first article is something attributed to a user on
their part having a horrible password, nothing OAuth could have directly
helped. As for the phishing scam...well, what can you do to prevent people
from giving their passwords to phishers outside of making them aware?

What's the difference between them supplying our site a password and them
supplying Google a password? Security? I would think people would have
placed a lot of trust in Twitter's security, too. Outside of adding SSL
encryption we've done what we can to ensure nothing bad happens. After error
processing, it was the first class I put in place.

-- 
-Jack Timmons
http://www.trotlc.com
Twitter: @codeacula



More information about the thelist mailing list