Rethinking the Login #heweb11

View Session Details and Presenter’s Bio.

Protected by The Meanest Indian via FlickrWhat’s the problem? 

Secondary and tertiary audiences — alumni, parents, prospects — can’t remember how to login.  Passwords, usernames, etc.

  • We don’t login often enough to remember.  
  • You don’t let us choose our identity.
  • We’re not on campus to get support. 

26,000 active alumni
19000 email addresses on file

 OPENID — about authentication

OpenID “usernames” are URLS which usually embed your identity:

  • openid.aol.com/username
  • username.wordpress.com

Good luck remembering those.

OAUTH — about authorization 

Created in 2006 as an open standard for authorization: a way to delegate access to user data without exchanging credentials

OAUth is about what we know about you – rather than who you are

Lots of folks provide an OAuth interface (google, yahoo, aol, etc)

Cowgirl Sue is taking a break from the ranch, and goes to Slim’s website, slims-dude-ranch.com. She needs to login.  So she puts in her gmail email address and password to try and login. Slim’s website asks google “Hey, can you make me a temp’ry key for Sue?”

Google responds heartily, “Here’s the key, Slim Dude.”

And Sue is now logged into Slim’s website — and can order her beef jerky and schedule rodeo lessons.

THIS IS PSEUDO-AUTHENTICATION.

VENDOR APIS

Provide a mix of authentication and authorization, various sorts of user data.

Things like Facebook Connect.

Integration: Don’t do it yourself!

THere are a number of libraries and services that can handle most or all of the technical implementation details for you.   They wrap up openid, oath, Facebook connect, etc – into one login solution -with a shiny pink bow.

Open source options:

Things to think about:

  •  Auth v Auth + Metadata
  • Standards supported
  • user interface
  • customizability and/or API
  • support/developer responsiveness

BUT IS IT SAFE?

  • is it safe to outsource identity authentication?
  • if you already allow password recovery via external email, your exposure is comparable.
  • oauth and opened are relatively mature technologies
  • there is the phishing question

WHAT ARE THE DOWNSIDES?

  • people don’t understand it
    • how do you know my yahoo password?
    • can google see what i’m doing on your site?
    • can anyone with an aol account login here?
  • user interfaces are confusing
  • native openid url format isn’t memorable
  • the nascar problem  (login windows packed with logos)

That said, once you’ve made the association between your carlton identity and your other identity — all subsequent visits are painless — login with your google account.

Under the Hood

We’re actually just using the external identity as a shared key.

If we store other social data (Facebook ID, etc.) – we can extend our login options.

 Things to Ponder On

  • Do you have audiences for whom distributed auto would make a good primary or secondary login mechanism?
  • do you have data (email addreses) that would allow you to bootstrap
  • are there interesting ways you could take advantage of the extra data you get from OAuth and service apis.