[OpenID] OpenID Registration Scenario

Martin Atkins mart at degeneration.co.uk
Thu Jul 12 07:16:51 UTC 2007 

John Wang wrote:
> For a site that does not have sensitive information but does have an 
> online identity aspect where there will be a lot of information 
> associated with user's online identity on the site over time, does it 
> make sense to have OpenID users also create a local username/password?
> 

As Simon Willison pointed out recently, "Forgot your Password?" really 
is a signon mechanism... it's just one with a really poor user 
experience, and that's intentional.

However, there's no reason why you couldn't implement a similar 
mechanism that actually *logs you in* to the site rather than simply 
recovers your account. You would then be able to reconfigure your 
associated identities to be whatever you like.

I think a good approach when designing an account management system that 
uses OpenID is to separate the concept of a principal with an identity. 
A principal is your "userid" or whatever other hidden internal primary 
key you have for the user that is probably never shown in the UI. Each 
principal can have one or more identities, which might be:
   * username/password pairs
   * email addresses
   * OpenID identifiers
   * (mobile phone numbers, Jabber IDs, facebook uids, etc...)

All of these have an "authentication mechanism" attached to them. Your 
UI will probably force all users to have an email address identity for 
their own good.

You'd probably also want to an associate a "display name" and "display 
identity" with each principal so that you have something to refer to the 
user in the UI.

To directly answer your question (sorry for taking a while to get here), 
I think it's a good idea to allow users to *optionally* create a local 
username/password pair, but to strongly suggest or require an email address.

The user experience for recovering an account via email is not 
brilliant, but it only has to be done in the relatively infrequent case 
that all of the user's other identifiers are unavailable. Once you've 
let the user log in using their email address, the user may elect to 
either create a local username/password or associate a new OpenID 
identifier.

More information about the general mailing list