Rethinking the Login #heweb11
What’s the problem?
Secondary and tertiary audiences — alumni, parents, prospects — can’t remember how to login. Passwords, usernames, etc.
- We don’t login often enough to remember.
- You don’t let us choose our identity.
- We’re not on campus to get support.
26,000 active alumni
19000 email addresses on file
OPENID — about authentication
OpenID “usernames” are URLS which usually embed your identity:
Good luck remembering those.
OAUTH — about authorization
Created in 2006 as an open standard for authorization: a way to delegate access to user data without exchanging credentials
OAUth is about what we know about you – rather than who you are
Lots of folks provide an OAuth interface (google, yahoo, aol, etc)
Cowgirl Sue is taking a break from the ranch, and goes to Slim’s website, slims-dude-ranch.com. She needs to login. So she puts in her gmail email address and password to try and login. Slim’s website asks google “Hey, can you make me a temp’ry key for Sue?”
Google responds heartily, “Here’s the key, Slim Dude.”
And Sue is now logged into Slim’s website — and can order her beef jerky and schedule rodeo lessons.
THIS IS PSEUDO-AUTHENTICATION.
Provide a mix of authentication and authorization, various sorts of user data.
Things like Facebook Connect.
Integration: Don’t do it yourself!
THere are a number of libraries and services that can handle most or all of the technical implementation details for you. They wrap up openid, oath, Facebook connect, etc – into one login solution -with a shiny pink bow.
Open source options:
Things to think about:
- Auth v Auth + Metadata
- Standards supported
- user interface
- customizability and/or API
- support/developer responsiveness
BUT IS IT SAFE?
- is it safe to outsource identity authentication?
- if you already allow password recovery via external email, your exposure is comparable.
- oauth and opened are relatively mature technologies
- there is the phishing question
WHAT ARE THE DOWNSIDES?
- people don’t understand it
- how do you know my yahoo password?
- can google see what i’m doing on your site?
- can anyone with an aol account login here?
- user interfaces are confusing
- native openid url format isn’t memorable
- the nascar problem (login windows packed with logos)
That said, once you’ve made the association between your carlton identity and your other identity — all subsequent visits are painless — login with your google account.
Under the Hood
We’re actually just using the external identity as a shared key.
If we store other social data (Facebook ID, etc.) – we can extend our login options.
Things to Ponder On
- Do you have audiences for whom distributed auto would make a good primary or secondary login mechanism?
- do you have data (email addreses) that would allow you to bootstrap
- are there interesting ways you could take advantage of the extra data you get from OAuth and service apis.