Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

OpenID users can be just as trusty as local users

A recent discussion over in Brad's journal highlighted a common misconception about OpenID: that OpenID users are somehow “less trustworthy” than a site's locally-registered users. While it's true that you can create an implementation in which OpenID users are “less trusted”, there's no reason why they can't be first-class citizens in your system.

It's all down to how your application reacts when it is first introduced to a previously-unknown identifier. You can ask the user to enter any details you like, and validate an email address, and perform a CAPTCHA test, and present a Terms of Service checkbox and anything else you'd normally do when creating a “local” account. It's entirely up to you and your application. Taking things to the logical extreme, you can present the user with a replica of your normal sign-up form but with the options to choose a username and password removed.

Whatever you do, don't go copying LiveJournal's implementation. LiveJournal was one of the first sites to allow OpenID logins, and the community has got a lot of implementation experience in the mean time; LiveJournal doesn't currently follow the vast majority of the best practices that have come about since then. Hopefully at some point LiveJournal's implementation can be improved.

Tags: identity, openid, trust

  • Moved to TypePad is now hosted on TypePad rather than LiveJournal. All of the old content remains over here in LiveJournal land, but those who are…

  • Moving the Goalposts

    In the few weeks since I published the first drafts of AtomActivity, ActivitySchema and friends several things have come about: FriendFeed is…

  • Activity Streams and Comment Aggregation

    One pain point that exists for activity streams right now is the dispersal of responses over various networks. When I post a blog entry like this…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.