tags:

views:

498

answers:

10

Question in title.

+1  A: 

Why not both? I hadn't an openId before stackoverflow, and creating one to join a website can be a real obstacle.

Nicolas
+8  A: 

I don't recommend this. You should consider offering OpenID as an option to your users, but don't replace traditional username/password authentication. There is a lot to like about OpenID and some users are very excited about it. However, OpenID doesn't solve all the problems and some users still prefer to use usernames and passwords. Abandoning username/password authentication would not be in the best interest of all your users.

Here's some background. There are three roles in an authentication exchange: subject (the user), relying party (the website), and identity provider. With traditional username/password authentication, the identity provider role is also assumed by the website because it verifies the user's credentials. With OpenID, the role of identity provider can be outsourced to a third-party (e.g., myOpenID).

This act of outsourcing the identity provider role creates several potential benefits to the user. (I'll assume you're familar with them.) However, it isn't a perfect solution. There are security concerns, privacy concerns, usability concerns, and many, many others. This post provides a good summary. Steve Gibson also discusses his OpenID concerns on Security Now! Episode #111.

Using traditional username/password authentication doesn't force users into a third-party relationship with an identity provider. The user shouldn't have to trust a third party. The user shouldn't have to depend on another party being online in order to authenticate. Username/password is a much simpler and more straightforward system, which some users prefer for good reason. For them, the potential benefits of OpenID are not sufficient to justify its use.

Will
+2  A: 

This would be a judgement call, but in general I think OpenID has a lot of benefits in furthering the cause of "one login to rule them all", which makes logging in to a given site easy for your users.

You probably shouldn't remove existing login feature if you have one, but it would be a nice supplement to support both.

Mike Stone
A: 

It really depends on the type of site, especially the level of security you require. I think OpenID is an obvious choice for community / information based sites. It would possibly / probably be a bad fit for a banking site, although it's not necessarily any worse than the standard username / password mess.

Jon Galloway
+1  A: 

I think yes, the more websites use open id, the less people won´t have one, making signing in anywhere very easy

I had an openid and signing in here was a smooth proccess.

I´m really tired of filling forms at every website

Juan Manuel
+6  A: 

If your site is a forum or blog, definitely. Creating "yet another" user/pass is a barrier to dialog, something you don't want on those types of sites. I can't tell you how many times I decide to not answer a question or post on a forum because the sign up takes longer than the would be post.

An other option is CardSpace, You can request a card with an email. Create an account internally with the email, use the security token generated between your site and the card for login. You have the Email in case the card is lost/deleted and the user needs to log in with a password.

Brian Leahy
+1  A: 

It depends a lot on your target audience, a site like Stackoverflow will attract techy people who are more likely to already have or want in the near future an OpenID so it makes sense, a site aimed at grannies will probably struggle if thats the only option. I agree offering both is the optimal solution, especially if you already have an existing user base.

roryf
+1  A: 

I like OpenID, it's not terribly difficult for developers to setup and removes a chunk of the tiresome registration procedures a new user encounters on visiting your site. You can also associate site-specific info with an OpenID. Hell, most of the security is handled by the OpenID providers too.

I can't see many benefits other than keeping your users' information completely under your control. You can still control user access if you think in the right mindset - it's actually easier work for you at the end of the day.

The main flaw is that users not introduced to OpenID may be confused at the start. I was certainly confused by the amount of providers to choose from. IT took me a while to work out if it actually mattered. If you do use OpenID write a good explanation as to why you use it and how people can get one easily.

Also make it easy. I especially like stackoverflow's login feature.

Ross
+2  A: 

Cast my vote for having both as well. For a techy crowd it might make some sense, but the average user has no idea what an OpenID even is, let alone how to set one up.

Kevin Pang
+2  A: 

No.

OpenID is confusing enough for technical users who've heard of OpenID and know what it's about. IT's a nightmare for anyone else.

Use e-mail addresses to sign on, and if required (e.g. a forum, blog comments, etc.) allow people to create a display username (i.e. don't just display their e-mail addresses).

e-mail addresses are more or less unique (shared mailboxes occur, but infrequently enough that I wouldn't worry about them) and have the huge benefit that most people know what their e-mail address is already.

DrPizza