[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

Martin Atkins mart at degeneration.co.uk
Mon Oct 27 15:58:53 UTC 2008


George Fletcher wrote:
> In the discussions I've had, there was one other use case. That is a 
> site that isn't ready yet to support the full OpenID cross-domain SSO 
> concept, yet wants to streamline their registration process such that 
> they don't have to use the out-of-band email verification mechanism.  In 
> this case, a small extension to the OpenID protocol (similar in concept 
> to AX) could be constructed that would allow a user to verify their 
> ownership over the email address using a "synchronous" process vs the 
> current async one.  So, if the RP's only concern is to verify that the 
> user "owns" the email address they've specified, then the RP doesn't 
> want the email address mapped to an OpenID, they want to know that the 
> email address is valid and the user knows the password to it.
> 

Verifying ownership of URLs is what OpenID is fundamentally all about. 
The SSO thing is really just an application of it.

Once you've got a discovery mechanism for email, you can do OpenID 
Authentication on email addresses. At that point -- assuming you're 
willing to trust the domain in question -- you have in-band email 
address verification.

Whether you choose to use this as a mechanism for signing in as well is 
up to you as an implementer, of course. The nice thing about the above 
is that since you've already implemented OpenID anyway it's only a small 
extra step to use it for signing in should you choose to go that route.

I guess the main caveat here is that OPs need to present a suitable user 
interface in the email case that explains it from the point of view of 
validating an email address rather than signing in. As usual, the UI at 
OPs isn't really something OpenID can control, so the success of the 
above approach will depend on figuring out what the correct UI flow is 
for this use-case.






More information about the general mailing list