For the past three months, my travel site www.imaybelate.com and its companion apps for iOS and WP7 have been live on the internet.
Based on recent user activity, I’ve decided to make a big change to the authentication system of the site. I’m going to move away from OpenID and back to the standard username & password. I’m not making this change lightly as it involves not only refactoring my code, but also supporting existing users who want to continue using the app.
So why am I removing OpenID support? In a word: trust. Or, to be more accurate, a lack of trust.
I started by asking questions on twitter and finally by running a small online poll, using Twitter. I got some interesting results – http://twtpoll.com/fpgw89
I didn’t get many votes as the poll was only running for one day, but I think it offers a glimpse into people’s feelings towards OpenID. There were a few other votes and the comments were:
I also got a few comments via Facebook and Twitter and they mirrored these sentiments.
“Create new account. Sometimes signing in with another account gives the app access to that sign in account. Example being signing in with your twitter account to some apps allows that app to read your tweets (even if private) and also to tweet on your behalf.”
Mr Jeff Atwood (@codinghorror) also replied to an earlier tweet on the subject of using OpenID
“@tomasmcguinness log in with google, Facebook, twitter seems to have traction, openid alone is risky”
So what conclusions can I draw? First off, I must point that that as I’m a techie, most of my twitter followers are of that ilk and therefore I expected the poll to be biased towards the better solution of OpenID. As can be seen from the pie chart, it’s still about a 50/50 split. But it’s 50/50 with some caveats. People seem to like the idea of using existing accounts when they “trust” the site they are signing up to. I’m defining trust here to mean they’ll trust a site they’ve user before or a site a friend has recommended.
This mirrors my own behaviour. I’ve only become conscious of my attitude since I started thinking about it for my own site. When I visit a site for the first time and want to try it out I won’t connect to it via Facebook. This is what I was asking others to do. If I won’t do it myself, why expect others to? A rather silly mistake on my part.
Users may be willing to connect your site with other existing accounts, but only after they’ve established your site is something they want to use and it’s something they trust.
To this end, I’m going to replace my OpenID system on www.imaybelate.com with a simple username and password. I’m going to update the mobile apps so they highlight the features on offer without requiring login. If after seeing the features, users want to try it, they can just signup using their email address.
There was one tweet I got which rather put this whole OpenID subject into perspective. Something that Jeff Atwood mentions in this blog post http://blog.stackoverflow.com/2010/04/openid-one-year-later/ was that OpenID providers come and go. A more dangerous consequence is that you lose access to your resources associated with that ID and that was brought to my attention by this tweet:
“FB banned a guy over innocent pics of his baby girl-lost access to 27 other accounts – that why I prefer User/pword”
It’s scary to think that Facebook not only control access to their site, but also to every other site that you’ve connected to them.
Tomas McGuinness 