Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins
mart
apparentlymart

OpenID users can be just as trusty as local users

A recent discussion over in Brad's journal highlighted a common misconception about OpenID: that OpenID users are somehow “less trustworthy” than a site's locally-registered users. While it's true that you can create an implementation in which OpenID users are “less trusted”, there's no reason why they can't be first-class citizens in your system.

It's all down to how your application reacts when it is first introduced to a previously-unknown identifier. You can ask the user to enter any details you like, and validate an email address, and perform a CAPTCHA test, and present a Terms of Service checkbox and anything else you'd normally do when creating a “local” account. It's entirely up to you and your application. Taking things to the logical extreme, you can present the user with a replica of your normal sign-up form but with the options to choose a username and password removed.

Whatever you do, don't go copying LiveJournal's implementation. LiveJournal was one of the first sites to allow OpenID logins, and the community has got a lot of implementation experience in the mean time; LiveJournal doesn't currently follow the vast majority of the best practices that have come about since then. Hopefully at some point LiveJournal's implementation can be improved.

Tags: identity, openid, trust
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 5 comments