Rick Denatale wrote:
On Sat, Jan 9, 2010 at 5:32 AM, Audrey A Lee
[email protected] wrote:
 - “Vanilla” password based authentication
and forget if they were using a password or OpenID.
So my question is, do you know of any projects or Rails starter kits
which implement OpenID-only authentication?
No I don’t. And I believe that the openid advocates don’t recommend
this.
I don’t know about other OpenID advocates, but this is not exactly my
recommendation.
The problem is that if the user’s open id server is unavailable for
whatever reason, he/she can’t log in.
I think the more likely case is that your own web site will be
unavailable far more often than any OpenID provider’s. I just don’t
think this is a particularly valid argument.
Providing a password option for authentications is the openid
equivalent of a ‘forgot my password’ mechanism.
I can’t see how these two are related in any way. They are completely
different forms of authentication.
I personally think that developers provide the choice because most
“regular users” don’t really understand the advantage of OpenID. Trying
to explain it to them might be more trouble that it’s worth. Most people
are just so accustomed to username and password that any deviation from
that mechanism might be too confusing for them.
For the OP:
So, I want to make it easy for them. They use OpenID or nothing.
Actually, I want to make it even simpler: Yahoo-OpenID or nothing.
While I believe that providing an OpenID only solution is workable, I
would be very much against forcing them to use a particular OpenID
provider. I personally use VeriSign as my provider. Mostly because I
trust their security, and I have setup multi-factor authentication using
their provided iPhone app.
Forcing users into a particular OpenID provider defeats one of the major
advantages of the OpenID system. If you’re going to push authentication
to a third-party, that’s great, but let the users choose whomever they
want as that third-party.
Another advantage of OpenID is that a web site can avoid having to store
any sensitive information at all. I am currently developing a web site
for a local developer’s group. I have also chosen to use OpenID only for
authentication. My reason for doing so is to avoid the need for adding
(and paying for) a SSL certificate. I don’t like the idea of accepting
user’s password in the clear. The only ways to avoid that are either buy
a SSL certificate or use OpenID only. I’ve chosen the latter because of
the many advantages it provides. I no longer need an SSL certificate,
I’m not storing any sensitive information at all, and my users will be
able to share their OpenID with any other sites that support it.