[OpenID] allowing users to switch to opendid-only: pointless?
Andrew Arnott
andrewarnott at gmail.com
Thu May 28 22:23:07 UTC 2009
+1. If a site offers OpenID 'upgrade', the first feature I look for after
attaching my OpenID is a way to disable the username/password login
capability for my account.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Thu, May 28, 2009 at 2:00 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:
> I proposed allowing users who originally signed up with a site-specific
>> username/password, then associated their account with (for example) a
>> myOpenID account, to delete their original site-specific password so that
>> they would only be able to log in with myOpenID. To me, this makes sense
>> because the user then has one less password to worry about and keep track
>> of. However, to my co-designer, only crazy people would want such a feature
>> since the user can just stop using their original password if they wish.
>>
>> I would be very interested in knowing what you lot think about this.
>>
>
> Your co-designer has addressed the "keep track of" point, but that "worry
> about" point is still a strong one. It's like leaving a backdoor in the
> system, and randomizing the access code when you leave because "we won't
> need it anymore, and who could possibly guess" . . . well, someone WILL
> guess, or brute-force it. If it isn't necessary to have another point of
> entry, DISABLE IT.
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090528/d1b1fcf9/attachment.htm>
More information about the general
mailing list