Rethinking the Login #heweb11

View Session Details and Presenter’s Bio.

Protected by The Meanest Indian via FlickrWhat’s the problem? 

Secondary and tertiary audiences — alumni, parents, prospects — can’t remember how to login.  Passwords, usernames, etc.

  • We don’t login often enough to remember.  
  • You don’t let us choose our identity.
  • We’re not on campus to get support. 

26,000 active alumni
19000 email addresses on file

 OPENID — about authentication

OpenID “usernames” are URLS which usually embed your identity:


Good luck remembering those.

OAUTH — about authorization 

Created in 2006 as an open standard for authorization: a way to delegate access to user data without exchanging credentials

OAUth is about what we know about you – rather than who you are

Lots of folks provide an OAuth interface (google, yahoo, aol, etc)

Cowgirl Sue is taking a break from the ranch, and goes to Slim’s website, She needs to login.  So she puts in her gmail email address and password to try and login. Slim’s website asks google “Hey, can you make me a temp’ry key for Sue?”

Google responds heartily, “Here’s the key, Slim Dude.”

And Sue is now logged into Slim’s website — and can order her beef jerky and schedule rodeo lessons.



Provide a mix of authentication and authorization, various sorts of user data.

Things like Facebook Connect.

Integration: Don’t do it yourself!

THere are a number of libraries and services that can handle most or all of the technical implementation details for you.   They wrap up openid, oath, Facebook connect, etc – into one login solution -with a shiny pink bow.

Open source options:

Things to think about:

  •  Auth v Auth + Metadata
  • Standards supported
  • user interface
  • customizability and/or API
  • support/developer responsiveness


  • is it safe to outsource identity authentication?
  • if you already allow password recovery via external email, your exposure is comparable.
  • oauth and opened are relatively mature technologies
  • there is the phishing question


  • people don’t understand it
    • how do you know my yahoo password?
    • can google see what i’m doing on your site?
    • can anyone with an aol account login here?
  • user interfaces are confusing
  • native openid url format isn’t memorable
  • the nascar problem  (login windows packed with logos)

That said, once you’ve made the association between your carlton identity and your other identity — all subsequent visits are painless — login with your google account.

Under the Hood

We’re actually just using the external identity as a shared key.

If we store other social data (Facebook ID, etc.) – we can extend our login options.

 Things to Ponder On

  • Do you have audiences for whom distributed auto would make a good primary or secondary login mechanism?
  • do you have data (email addreses) that would allow you to bootstrap
  • are there interesting ways you could take advantage of the extra data you get from OAuth and service apis.