[OpenID] allowing users to switch to opendid-only: pointless?

[Martin Atkins]

Nicolas Holzapfel wrote:
> Hello everyone,
> 
> I'm in the processing of designing a big social networking type site and 
> was just dealing with the account management settings. I'm working with 
> someone else and we both want to make the site as openid-friendly as 
> possible. Users will be able to sign up and log in using openid and 
> similar services like Facebook Connect, Google Connect etc and associate 
> multiple external website with the same account (i.e. they can use 
> myOpenID, Facebook Connect and their site-specific username/password to 
> log into the same, single account).
> 
> In addition, I proposed allowing users who originally signed up with a 
> site-specific username/password, then associated their account with (for 
> example) a myOpenID account, to delete their original site-specific 
> password so that they would only be able to log in with myOpenID. To me, 
> this makes sense because the user then has one less password to worry 
> about and keep track of. However, to my co-designer, only crazy people 
> would want such a feature since the user can just stop using their 
> original password if they wish.
> 
> I would be very interested in knowing what you lot think about this.
> 

One way to think about this is that by retaining a local password you 
essentially defeat any better-than-passwords authentication mechanism 
that the OP is using by offering a backdoor that side-steps the OP.

As long as most users are using passwords to authenticate to the OP this 
isn't really a compelling argument, of course. (And, if we're honest, 
most users probably used the same password at their OP and at your site.)