[OpenID] OpenID Registration Scenario

Thu Jul 12 06:46:09 UTC 2007

Simon W has been advocating that RPs should support multiple OpenIDs.
If we do that then the best recovery mechanism has to be a second 
OpenID with another OP.
That protects against you OP getting into difficulties and it avoids 
the problem we were trying to fix in the first place viz. having 
loads of (secure enough) username/ password combinations.

There's another reason for RPs to *also* support username/ 
password.  Many implementations will be on non-greenfield sites where 
a population of users already exists.  In that case the RP can add 
OpenID as an option and let users transition at their own pace.

Paul

At 05:12 12/07/2007, digest wrote:
>Date: Wed, 11 Jul 2007 16:06:15 -0400
> > As to a local password, I would instead just use email as an account
> > retrieval mechanism if needed.
>
>Assuming they have lost control of their previous openid; after they receive
>the account retrieval email wouldn't it make sense for them to setup a
>username/password to retrieve their account or would you think they should
>have a second openid ready to associate their account to?
>
>I personally think using a local fallback in the form of an optional
>username/password makes sense. But it's really up to the RP and its needs.
>Having a "captiveOpenID" doesn't make sense as a solution to this scenario
>since they would have to authorize that with a username/password anyway (I
>may be missing the meaning of captiveOpenID).
>
>Immad
>
>On 11/07/07, Recordon, David <drecordon at verisign.com> wrote:
> >
> >  Hey John,
> > I think some sort of local display name is certainly desired in many
> > cases.  It should however be easy to then find their OpenID identifier from
> > their profile page for example.
> >
> > As to a local password, I would instead just use email as an account
> > retrieval mechanism if needed.
> >
> > --David
> >
> >  -----Original Message-----
> > From:   John Wang [mailto:jwanggroups at gmail.com <jwanggroups at gmail.com>]
> > Sent:   Tuesday, July 10, 2007 09:21 PM Pacific Standard Time
> > To:     OpenID - General
> > Subject:        [OpenID] OpenID Registration Scenario
> >
> > For a site that does not have sensitive information but does have an
> > online
> > identity aspect where there will be a lot of information associated with
> > user's online identity on the site over time, does it make sense to have
> > OpenID users also create a local username/password?
> >
> > I think it makes some sense to have a username since a user can have
> > multiple OpenIDs associated with one online identity. Additionally a
> > username will be more user-friendly to see on various pages. The username
> > is
> > associated with a unique online identity for the site while the OpenID is
> > just an authentication method.
> >
> > As for a local password, it seems to make for a better user experience to
> > have a fallback incase the user's OpenID OP auth server becomes
> > unavailable
> > for whatever reason. This way the user can use OpenID when they want but
> > if
> > it ever becomes unavailable, they still have access to their online
> > identity. From a community site perspective, it seems to make sense to
> > give
> > the user a fallback auth mechanism controller by the site instead of
> > forcing
> > the user to rectify the situation with their OP in case there's an issue
> > there.
> >
> > From the above, I'm thinking that it would make sense to have the user
> > register an account by creating a username/password or
> > username/captiveOpenID controlled by the site and then let the user
> > attach/associate OpenIDs to those accounts. The other question here is
> > whether one OpenID can only be attached to a single site account or
> > whether
> > the user should be allowed to use the same OpenID for multiple site
> > accounts. The latter seems more flexible and user-friendly.
> >
> > What do you think of the above and what are sites doing today with respect
> > to OpenID and local auth methods?
> >
> > John

Paul Tanner - Virtual Technologies - http://www.virtual-techno.com
Tel: +44 1494 581979 Mob: +44 7973 223239 mailto:paul at virtual-techno.com 