This blog can't be viewed on LiveJournal. Instead see

OpenID users can be just as trusty as local users

15th Jan 2007

A recent discussion over in Brad's journal highlighted a common misconception about OpenID: that OpenID users are somehow “less trustworthy” than a site's locally-registered users. While it's true that you can create an implementation in which OpenID users are “less trusted”, there's no reason why they can't be first-class citizens in your system.

It's all down to how your application reacts when it is first introduced to a previously-unknown identifier. You can ask the user to enter any details you like, and validate an email address, and perform a CAPTCHA test, and present a Terms of Service checkbox and anything else you'd normally do when creating a “local” account. It's entirely up to you and your application. Taking things to the logical extreme, you can present the user with a replica of your normal sign-up form but with the options to choose a username and password removed.

Whatever you do, don't go copying LiveJournal's implementation. LiveJournal was one of the first sites to allow OpenID logins, and the community has got a lot of implementation experience in the mean time; LiveJournal doesn't currently follow the vast majority of the best practices that have come about since then. Hopefully at some point LiveJournal's implementation can be improved.


  • (comment with no subject)

    LJ puts OpenID users into the "anonymous" category. This is of course the worst possible implementation.

    Which one is the best? Well, there's the tradeoff between "instant login" and "registration". We wouldn't want somebody who "signs in" to be immediately taken to "singup" (the ma.gnolia case).

    I'm not saying my implementation is the best. I just think it's better than that of LJ's and ma.gnolia's. When a new OpenID is entered, Simple Registration is used to try and get a username and an email address. A username alone (after validation) suffices to silently register the user. Now, if something fails, the user is presented with a registration form, this time requiring a valid email and ToS.
    By Dmitry Shechtman at 11:19 am on 16th Jan 2007
    • (comment with no subject)

      I imagine that LiveJournal, and possibly other sites with similar requirements, would probably go for a multi-stage process where your “instant login” (done at the LiveJournal comment form, for example) would just get you the ability to post anonymous comments, but you could upgrade to being able to post “real” comments by going through a simple process where you agree to the TOS, supply an email address and pass a CAPTCHA test.

      You could then theoretically elect to upgrade again to being a fully-fledged LiveJournal user with a journal and all of the other associated features by choosing a journal name for use in the URL but still authenticating with OpenID.

      However, getting from where LJ is now to that point is probably not trivial!

      By Martin Atkins at 08:38 am on 17th Jan 2007
      • (comment with no subject)

        That would be nice, although it would require multiple user levels (I counted four, including anonymous). In addition, I believe CAPTCHA should be replaced by trust.

        The current problem with LiveJournal is best illustrated by the reply form I am typing into. It says "Anonymous (will be screened)" and "OpenID (will be screened)", and not because you chose to screen OpenID comments. If OpenID is no better than anonymous, why use it?

        Well, Eran used MyOpenID to authenticate and then supplied a link to his blog in the comment text. Instead, he should have used his blog as OpenID and let me the curious reader look for that bridge post. Yet, that alone does not seem like sufficient justification for people to use OpenID for commenting in LiveJournal.
        By Dmitry Shechtman at 11:29 am on 17th Jan 2007
  • Absolutely

    I tried to make that exact point in a recent blog entry. entitled "An OpenID is not an account!":
    By Simon Willison at 11:19 am on 16th Jan 2007
  • Yahoo BBAuth

    I was just about to write about my current attempt to create something like that with Yahoo BBauth, but you beat me to it :-)

    Instead, I wrote about my BBAuth bridge here:

    I'm hoping to release something next week which will be workable :-)
    By ext_28637 at 09:24 pm on 16th Jan 2007