User Authentication onto Websites – Some Direction Needed!
One thing the Internet hasn’t got right yet is user authentication onto websites.
Most websites require users to have a user account so that you can personalise the site, have a home page, add a comment, etc. – and that in itself is good as it makes the Internet more relevant and personalised to you. The disadvantage of this is that most sites require you to have a username and password, plus enter in lots of information about you, such as a photograph, bio, ‘about me’, real name, age, location, etc. All of this is tedious and time consuming to fill in.
OpenID appeared a few years ago and aimed to solve this problem. It isn’t without its flaws, but for the most part, I am a big fan of OpenID and even have it on my cooking website GetMeCooking.
This week I was surprised to read that 37 Signals are withdrawing their use of OpenID and will be forcing all users to use a standard username and password account. I see this as a huge step back in terms of user accessibility and user experience. They say that they have very few users using the OpenID system – if so, I think they should do 2 things:
- Improve their current implementation of OpenID. Right now they only allow users to enter in their OpenID URL (e.g. http://openid.aol.com/jesse325), instead they should allow users to select from a large number of OpenID providers (including Google, Facebook and Microsoft) using a click-through solution, like the one presented by janrain
- Try to educate their users about OpenID
Is that so hard? No. Plus it would fit in (enhance) with their current solution. They get a big thumbs down from me.
On the other hand, ReadWriteWeb have announced that they will be doing the opposite – i.e. scrapping the standard username and password method of authentication and exclusively using the facebook OpenID service.
This is a step forward, but not a giant leap. Facebook currently has around 500m members – which is a lot, but not everyone is on it. In fact, I know a LOT of people who are not on it (many of them are fearful of being on it – big brother is watching sort of thing). So I think ReadWriteWeb should accept users via any OpenID provider. If they want to make things better or easier for the user, they could use XAuth to provide a personalised list of recently used OpenID providers at the logon/registration screen, although they might want to read this first.
In any case, it is clear that there isn’t a definite solution or best practice when it comes to handling user authentication to websites, but I certainly think that the username and password method should be dead and buried by now. It is time for the the clever techies to think about how users will authenticate onto websites, in a method which is:
- Easy
- Fast
- Personalised
- Reliable
- Rich (in terms of data being pulled in – on an optional basis)
- Secure
I could write pages about this topic, but I wont; as others have done it for me. I just wanted to highlight the fact that this week, two very large companies (37 Signals and ReadWriteWeb) have announced completely opposite strategies on user authentication – and (in my opinion) neither of them have got it right.