Single sign on, a great thing, saving us from “yet another password”, or is it? OpenID is great, I have huge respect for all the people involved in the generation of this awesome specification, but is all this really needed? After all, we all already have a password and a distributed system for proving we know it.
Yes, e-mail.
Imagine this.
Simple, and no username or password in sight, apart from the ones you use to access your e-mail already. If you need to log in again, you just follow the process again. Simple.
Plus most sites do this already with forgotten password functionality so it’s not a foreign experience to Web users.
This is basically what OpenID does but without the human intervention of having to open an e-mail and click a link. I think having to check your e-mail and click a link is a pretty good compromise for not having to set up some new authentication system that may or may not be usable on the site you’re visiting.
Everyone has an e-mail address, I mean, why reinvent the wheel when we already have a system for doing this that everyone already uses. You’re not going to get every Web user to start using OpenID, it’s just to much bother when they can just remember (or get their browser to remember) a username/password pair.
One of the problems with any single sign on provider is that you have to trust that provider excusively (sure you can run your own OpenID server but who actually does that?). Everyone already implicitly trusts their e-mail provider, at least they do with their e-mail, which in all sense and purposes is all that counts due to forgotten password e-mails. I know that I’d prefer to only have to trust one entity, rather than an OpenID provider too.
The main advantage of OpenID is that once you’ve authorised a site, you don’t have to lift a finger again, the negotiation occurs in the background between the site and your OpenID provider without you doing a thing.
But this too could be handled via Web-mail providers and some browser hackery:
iframe into the page pointing to a specific Web page provided by
your Web-mail provider that supports this technique.Not quite as seemless as OpenID, but a hell of a lot simpler, and the infrastructure from a user point of view is already there.
How I detect that you’re using a Web-mail provider and where their little iframe page is is a little more tricky. We could do add a TXT entry to DNS for the domain to point to the pages URL, or maybe eventually we can just rely on the browser to provide the users e-mail address and Web-mail provider details automatically on the click of a button. Who knows, there’s plenty to inovate around in this space.
Yes, existing identity providers opening up their systems to support OpenID helps since it gives many “normal” folk an instant OpenID, but many of these users don’t understand what OpenID is or that they can use their Yahoo ID to log into OpenID supporting sites.
Using e-mail as an authentication mechanism makes sense. It makes sense for users and it makes sense for site developers, and it can be implemented and used today, without any additional infrastructure or extra support from 3rd parties.
Although I’ve never used it, apparently Craigslist do something very similar to this. You can create a posting without signing up to an account and all you have to provide is an e-mail address to which they send you a link that allows you to update your posting.
Some would call this security by obscurity, others would call it capability-based security, I call it clever.