tags:

views:

214

answers:

3

Scenario: A user logs into a site (like StackOverflow) with an OpenID. A year later they return to the site but their OpenID provider has gone out of business and won't let them log in.

How best should they recover from this situation? And are there any OpenID-enabled sites you know of that have already implemented a solution for this?

There is an excellent article here about relying party best practices and they have a good suggestion but I'm still looking for an example of this in action:

Provide Lost Identifier functionality to switch to a new identifier without access to the old one

Provide a mechanism to switch an account to use a new identifier without access to the old identifier(s) associated with the account. This can take a similar form to the traditional "Forgot your password?" email verification dance, assuming that you have the user's email address on file.

Rationale: Users will sometimes lose the ability to use their identifiers, such as when their provider ceases to offer service to them. This functionality allows users to recover from this situation without losing their data.

I have some vague idea of how I can accomplish this with a token of sorts that's sent to the user's email address. But again, if someone else has already figured out a good solution with details I may not have thought of yet, then that'd be better.

+7  A: 

StackOverflow allows multiple OpenIDs to be associated with an account, so you can set up a backup provider.

Another solution might be to collect the user's e-mail address, and send a reset link to that e-mail address.

Ultimately, you're going to have the occasional user in any system that can't be dealt with automatically. Even without OpenID, it's easy for a user to lose access to their e-mail and forget their password, or to forget both their username and password. Sometimes, the only solution is going to be either "you need to sign up again" or "our customer service folks have granted you access to that account".

ceejayoz
The multiple OpenID thing is a good idea (also included in that best practices document). And I am collecting user's email addresses so that part is done. I guess I'm just hoping to find an example that's easy on the user while being secure at the same time.
Steve Wortham
Ultimately the "email address back door" ought to be closed. If I find out your email password, it's a shame that I own your identity on the Internet as it is today. Multiple OpenIDs is a better solution, although itself not ideal either. I think there is room to find a better solution. But I don't know what that is.
Andrew Arnott
A: 

One thing you could do would be to also build your site to not only be a openID Consumer, but an OpenID Provider. That way if, for some reason, a provider goes out of business, you can have your members simply log in using your provider, and allow them to get their profile back somehow. Like how SO allows multiple IDs, or perhaps just having a migrate functionality from one ID to another. Your biggest problem is going to be the fact that their original ID can't be authenticated. I'm not sure allowing multiple IDs will alleviate that, but it might prevent such situations if your users are proactive.

Joseph
Doesn't that get rid of the entire point of OpenID - not having each site being its own provider?
ceejayoz
@ceejayoz yes it does, but the concern is stemmed from the fact of having a centralized (single) login. The only way to fix that is to have another login.
Joseph
@ceejayoz I'm saying to use it as a backup mechanism, not as the primary. it would probably not even be something you would advertise on your site, only for users who have problems logging in.
Joseph
@Joseph, I agree -- it's not a terrible idea to become an OpenID provider myself and it really wouldn't be that hard. It doesn't solve my particular problem though. As you said, the real trick is first proving that they own their old account that they can no longer authenticate with. And then allowing them to log in with an alternative OpenID. And then last of all -- presenting this to the user in a way that doesn't confuse the crap out of them.
Steve Wortham
@Steve Exactly, but the problem is that the multiple ID solution only works for users that are proactive and link up more than one account before one of them goes down. Your average case user probably isn't going to do that, so you're back to square one. So your real problem is, "how do you authenticate a user when the authenticator can't authenticate them?" And to that I don't really think there's a good answer.
Joseph
+1  A: 

I implemented the account recovery feature I was thinking about. After letting the idea simmer for awhile, I think I've come up with a pretty simple process for the user that's still secure.

Here's the process:

  1. Click the "having trouble" link under the OpenID buttons.
  2. Type in your email address and click "Send Account Recovery Email."
  3. Open the email and click the link. (The link has a one-time-login token in the querystring.)
  4. You'll automatically be logged in to my site (the one-time-login token will be destroyed so it can't be used again) and you're instructed to login with a secondary OpenID.

I also made a video demonstrating this:

http://regexhero.net/blog/2010/01/using-openid-on-regex-hero.html

Steve Wortham