As a Single Sign-On implementation, I think OpenID is great. Even so, is it necessarily a good choice for eCommerce? I know it can be used, but should it? Are you risking too much in putting all of one's access details in a single basket?
What's the general opinion out there?
Why not? Important thing is that you live to user the possibility to use both ways to authenticate.
For example here in Stack Overflow I use google for my auth and i think that it's pretty convenient and fast way. But if there is someone paranoid enough (sigh) who doesn't want to give too much information to single Openid provider if you leave possibility to use your custom registration&auth they should be satisfied.
Imo why not?
But it kinda depends on what options the logged in users got.. If they can cancel orders, keep their creditcard details with their profile, make orders without paying right away, and soo on..
Then you should be more carefull, but if its just like the other eCommerce sites, remember stuff in basket, keep track of orderstatus and so on.
Then id personally like not to remember another user and password..
Anyway, users tend to use the same password everywhere, and if thats the case why not use the same service to do the login :) ?
The question is really whether it is appropriate for your sites users. A general e-commerce site is unlikely to have many users that already have an OpenID setup, in contrast to the target audience of StackOverflow where I would guess at least 50% already have one.
If you have the time, then yes definately implement it for the benefit of those fortunate enough to have discovered OpenID :o). However I would also implement a 'standard' login solution for users that don't care about OpenID.
I think the use of OpenID for ecommerce applications could have some very positive wide range effects. The idea of being able to use the same login for all of your online shopping (albeit that may be itself a small security risk) makes it possible for others to potentially come along and make applications which will take your OpenID and present you with a "marketplace" of all your shops (Amazon, BestBuy, EBay, etc. all in one location)
Depends on your target audience.
The less tech-savvy are probably pretty unfamiliar with OpenID, which would raise the threshold for your shop. A practical solution would be offering both conventional and openID authentication.
Technically OpenID authentication is a snap to implement, especially if you use a framework like Jboss Seam.
Edit: An additional concern is putting part of the user experience in your openid provider's hands. Providers do not all implement the OpenID spec the same, so you need to make sure you do not limit testing with just one (for example google returns a different authenticated openid depending on the domain of your app, while others don't). Not being able to authenticate is something the user is going to blame your site for, not the provider.
When I worked for a large eCommerce company, the company looked at OpenID. Don't get upset by this, but the company rejected OpenID because they didn't like some of the clunkyness of the implementation, and they found that it actually reduced signup rates, when run through sample user community testing (the user community hated it, but they hated alot of things).
Bottom line: you absolutely can use it for a eCommerce site, but I would have the database built to allow for a switch if necessary, and have a way to determine if it is gaining or costing customers.
Personally, no. I would not attach my open id to my bank accounts in any which way or form.
I use open id for all sorts of 'crap' sites and I don't trust them to keep my details on the down low or to be secure enough not to let them become compromised.
I'm struggling with this version question. Implementing is easy, and you definitely need a regular account system for someone who doesn't have or want to use openid.
My real concern is the possible confusion on the user's end, using a login from one site on another just isn't common, understood or well trusted. It can work really well if you go with it, but just asking someone to enter their existing password might look like a scam. Most OpenID enable sites are blogs and information based, not ecommerce. I think people are more concerned with safety when it involves their credit card & personal information.
So far the only big names in ecommerce I've found to offer OpenID login is sears.com / kmart.com, does anyone know of any others?
funny, i just tried to login here using my google "openid" and got an error (even though I actually was allowed/logged in I was shown an error page).
what I wonder is what happens when a user uses openid to log into an e-comm site....can the site admin still know all the details of the user?
in other words, does an openid login = site owner not having any user data? or does an account get created which the user can fill in personal details.