Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

OpenID users can be just as trusty as local users

A recent discussion over in Brad's journal highlighted a common misconception about OpenID: that OpenID users are somehow “less trustworthy” than a site's locally-registered users. While it's true that you can create an implementation in which OpenID users are “less trusted”, there's no reason why they can't be first-class citizens in your system.

It's all down to how your application reacts when it is first introduced to a previously-unknown identifier. You can ask the user to enter any details you like, and validate an email address, and perform a CAPTCHA test, and present a Terms of Service checkbox and anything else you'd normally do when creating a “local” account. It's entirely up to you and your application. Taking things to the logical extreme, you can present the user with a replica of your normal sign-up form but with the options to choose a username and password removed.

Whatever you do, don't go copying LiveJournal's implementation. LiveJournal was one of the first sites to allow OpenID logins, and the community has got a lot of implementation experience in the mean time; LiveJournal doesn't currently follow the vast majority of the best practices that have come about since then. Hopefully at some point LiveJournal's implementation can be improved.

Tags: identity, openid, trust

  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • HTML 5 vs. Yadis

    One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a…

  • Client Certificates: It's easy, man! recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.