user identification with openID

views:

143

answers:

+2 Q:

user identification with openID

Since I have never used openID befor I have no idea about it.

I want to know when someone want to log into my website using openID do I have to register his information (is there any registration process efen if the user don't fill the information).

should I provide an alternative classical user registration beside openID.

+2 A:

Opinionated Rant

My opinion will almost certainly be unpopular; but I'm going to make it anyway, 'for the good of privacy' :)

OpenID is not a great idea; typically in computer security it is considered bad to have a single account for everything, as if that account is compromised the person can compromise all services attached to it.

OpenID violates this quite directly.

As well as this, it creates a single point of failure, and if the protocol is shown to have a flaw [removed incorrect reference to OAuth flaw] it means you are susceptible everywhere.

Now it goes without saying that OpenID provides convenience; and sure it does, but for mine, the cost of this is too great.

Personally, I was a bit frustrated to note that OpenID was the only way to sign up to this site; so I would suggest to you that you provide an alternative mechanism (and if it were me, I would not implement OpenID at all).

Summary

Yes. Provide alternatives (IMHO).

Noon Silk 2009-08-16 09:33:44

I don't like your opinion, but I can't find any flaws in it so I'm reluctantly up-voting it.

grenade 2009-08-16 09:39:27

OpenID hasn't had a recent security flaw exposed to my knowledge. OAuth has, but that's a very different protocol.

Andrew Arnott 2009-08-17 05:23:40

Another thing: most users (and silky you might be the exception) use the same username and password for most of their sites anyway. At least OpenID formalizes this tendency, and gives users the ability to choose a strong Provider (or set of Providers) that has great phishing protection. When implemented and configured correctly, OpenID is much more secure than the username-password anti-pattern. I LOVE when sites only accept OpenID, or at least when they don't require that I pick a password and give OpenID as an option for an exclusive login for my account.

Andrew Arnott 2009-08-17 05:25:37

You are correct sir; my mistake. Corrected.

Noon Silk 2009-08-17 05:25:44

I would argue that the possibility for phishing is increased *dramatically* because now effectively any site can claim that they need the OpenID password, and the naive user will not know better.

Noon Silk 2009-08-17 05:34:05

Your last argument (comment) doesn't seem like an openid issue to me. Sites that use OpenID for their registration do not ask for a username/password. They merely forward you to the site you specify, where you enter your username/password. A phishing site could purport to be forwarding you to your provider, but how is that different from just spoofing your provider in the first place? In what way does OpenID increase phishing likelihood?

livingtech 2010-08-27 16:56:28

+1 A:

you can do like stackoverflow website, new user will be unknown until the user fill his information, and in your website you can disallow the user from posting if he didn't complete his profile info.

should I provide an alternative classical user registration beside openID

yes you should provide because maybe the user don't have openID registration or he know nothing about openID tech.

Wael Dalloul 2009-08-16 09:37:57

+4 A:

The best OpenID login experience has no user registration. You accept their OpenID and you and your user are both done. Talk about lowering the barrier to joining your web site. It doesn't get much easier than that! If you must gather more information about a user besides just their OpenID claimed identifier, and this is a general rule with user registration: keep it minimal, and preferably don't ask for the additional information until the user actually requests a service that requires that you collect that particular data. This helps keep the user interested in your site and doesn't drive him/her away.

And if you're writing a new web site, I highly encourage you to not accept username/password anti-pattern. If you do your OpenID login right (today that probably means making big, prominent Google and Yahoo login buttons and then a smaller OpenID button that makes a text box appear) then users won't get confused. Before OpenID, lots of sites had "Login with Yahoo!" buttons on their sites and users "got it". OpenID can look just like that and be easy for the user.

By not offering a username/password style login, you somewhat force the user (with your ultra-easy OpenID login) to start getting used to not reusing an old or inventing a new password at your site. We as webmasters must train web users to stop giving their private passwords to so many web sites.

Andrew Arnott 2009-08-17 05:30:22

+3 A:

Our solution was to run our own openID provider and not tell anyone. If you choose to sign in without openID you get redirected to a very locked down openID provider. This was great as we started with 1 site and now have 4 and they can all share accounts. Our provider will not let you use it anywhere else (can't login here with it).

Jeff 2009-08-17 23:40:23

I also did this same thing. It allowed my client to build a centralized billing system, and each service used attribute exchange to figure out what users were paying for. We would reject any external OpenID provider, and we didn't expose internal IDs to the outside. This model worked well because each service had been written in vastly different environments, and because it offered a clear path for expansion.

Bob Aman 2009-09-22 18:48:55

ansaurus

tags:

views:

answers:

user identification with openID

related questions