OpenID concern #1: forgotten OpenID

There are just short of 1.3 zillion OpenID concerns out there (no, seriosly–I counted), most of them well-intentioned but overblown. And most of them are just as applicable to username and password. The biggest difference is that everyone has experience with username and password and knows all of the best practices for dealing with them. Unfortunately, OpenID is still young, and so the best practices are still evolving.

Habari developer Owen Winkler over at Asymptomatic describes how after spending months away from Zooomr, he has forgotten which OpenID he used to sign up.

I had the same thing happen to me (maybe even more than once)before I got the hang of the whole OpenID thing. Now that I have the hang, though, I’m far better off because I get to use the same username everywhere instead of discovering that “sblom” is already taken or that they require at least 6 letters and having to choose “sblomqui” or “sblom000″ or something else entirely.

However, there will always be new users on a site who don’t yet have the hang of OpenID, and who haven’t yet settled on a favorite OpenID URL to use everywhere. They’re bound to forget which OpenID they used to sign in from time to time. This is where best practices come in. The OpenID wiki has a good and growing collection of OpenID Relying Party Best Practices, where they mention, among other things, that the right thing to do is to allow users to use the email on file with the Relying Party to change which OpenID account is associated with the account in case the user lost access to their OpenID, or forgot which one was used.

Owen, I’d be happy to help you out by explaining to Zooomr how to behave appropriately as an OpenID RP.

One Comment

  1. Posted October 22, 2007 at 8:19 pm | Permalink

    That would be great, although given the trouble I had even finding a way to contact them about the problem back when I had it, I wish you luck.

    Better would be if you would be able to make recommendations to potential OpenID users about (and I’m not so clear on the terminology here, so forgive me if I get this wrong) whether its best to rely on an OpenID provider for their logins or to set up an OpenID server of their own to authenticate against, and what to do in the case that you first do one, but then want to do the other. Or, if the method you use dies, what the recourse is.

    Also, we’d love to have someone that knows more about OpenID in the Habari camp to help us get things right the first time. Please feel free to become involved if you can.

Post a Comment

Your email is never shared. Required fields are marked *