I'm currently debating whether I should use OpenID login for one of my websites. OpenID may be harder for me to implement because I already have registration and login code written, but this is just a time consideration. What advantages and disadvantages are there to using OpenID in contrast to, say, a traditional website user account system.
Advantages
you have a single sign-on which is actually pretty cool, in particular for people having a lot of accounts here and there.
The openid server provides basic info about the user, saving the need to write down the usual basic info every time. In this sense you save the hassle to your users.
It enhances the traditional user/pass mechanism pretty well. There are many sites around providing both systems at the same time.
Moves trust of honesty from multiple parties to only one. At the moment, I don't know if any of the sites I am registered on stores my password in clear text to steal it and tries to use it on other sites assuming that I have the same password.
The technical advantage of delegation. You are not forced to use the same provider. You can switch.
Disadvantages
You still have to provide user/password to those who don't understand the new paradigm or they don't have an openid (maybe they have it, but they don't know). If it's a broad range of people your are trying to address, then you could scare them away.
Also, I would not use it for anything serious. I would not trust my bank asking me to login with my openid, but also many e-commerce sites as well. It's ok for unimportant things.
The openid provider can track user's habits, as they receive all the auth requests. That's why I deployed my personal provider.
Finally, as far as I saw, many cases of openid servers move the password in cleartext, but this is my understanding and I could be wrong. I deployed my own openid provider, and I went to great deal so that the password was transported via https, even if my openid is marked as http
The main advantage that I see, although not necessarily applicable in your case if you want keep your existing system, is that I don't have to worry about storing passwords.
Too many people use the same password (or a small set of passwords) for everything, so if my site was compromised (and I'd hope I was sufficiently skilled enough to prevent that, but security is a multi-layers beast, so anything to add extra security in is good in my book) then the attacker couldn't get hold of the password.
For the user, they can now legitimately have just one password for everything. They use an OpenID Provider that they trust rather than having to trust any tom dick or harry on the internet with a website.
Well taking SO as an example it supports both. I login using my Google Account through OpenID but I still need to have an account/username to link to my OpenID. I assume that you're only allowing logins through OpenID but not for your users to login using your site as an OpenID server.
So to clear things up; You can use a lot of your login/logout code and you will need it because the only difference is that you authenticate through a third-party instead of your own database. In pseudo-code imagine this:
authenticate_from_db(String username, String password)
{
fetch username and password where username = username
if username = username and password = hash_of(password)
{
return true;
}
else
{
return false;
}
}
authenticate_from_openid(String openId_provider)
{
provider = contact_openID_provider(openID_provider)
if(provider)
{
login.username = map(returned_user, your_db)
return true
}
else
{
return false;
}
}
So you see, mostly the authentication process is changed while your own is still also used.
The advantage is pretty clear:
- Allowing users to login with existing accounts through their OpenID provider.
- Your existing users could optionally login through their OpenID provider
The disadvantages are (I could imagine):
- Hostile OpenID providers (spam?) authenticating their spambots etc
- Other security concerns by allowing a third party to authenticate your users
I want to underline that supporting OpenID should not change anything for your existing users.
OpenID users still need to have an account, they're just authenticated through a third-party.