Best authentication scheme

If you're to create a Web 2.0 site today, what kind of authentication scheme will you use?

Username: login? email address?
OpenID? Facebook Connect?
Any other considerations?

web

asked Sep 04 '10 at 01:14

punzie
174●1●5

are you also considering protection from spam / auto filler bots?

(Sep 22 '10 at 13:58) whatever

5 Answers:

oldest newest most voted

Like many technical decisions, the answer is "It depends on the purpose."

If it's a relatively 'closed' site (e.g., a private forum, a company extranet, or a commercial banking site), then I'd use a private authentication scheme such as username+password (over HTTPS, obviously).

For sites that require stronger authentication (a sensitive company intranet, or high-finance banking site), I might consider augmenting this with a hardware dongle.

For public-access sites, such as this, and for commenting on articles/blog posts, etc., then I'll probably go for OpenID.

One exception to all the above—even if it's a relatively 'closed' or private site, but users will be expected to log in to multiple other, related sites, then I'd support and provide OpenID to allow the convenience of single sign-on or SSO.

For example: if I were to design a government Web site, where users are generally expected to be logging in to multiple government Web-based services all over, then I would support and provide an OpenID authentication scheme.

That is, if users register with one department's Web site, they should be able to login to other departments' Web sites using the OpenID provided for them. This will also make it easier to identify unique users throughout the entire system (which would otherwise be maddeningly difficult if users were required to register unique logins and passwords at each site).

link

answered Sep 04 '10 at 09:34

Alistair A. Israel
3.1k●2●10

I guess I assumed a "Web 2.0" site would be a public one. Still, a good assessment of Web auth in general.

(Sep 07 '10 at 02:47) punzie

I'd use email and password. It stops most spam bots (as you need a valid email address to confirm). FB Connect, OpenID -I don't trust these, but you can use them - makes it easier for people to sign up. I still prefer email authentication afterwards. It's more "secure".

link

answered Sep 04 '10 at 06:26

whatever
1.1k●1●3●29

I would've assumed for any site emails would be required by now—even just for the purpose of having an address to send "password recovery" mails to.

Stopping spam bots (i.e., distinguishing between human users an bots) is an orthogonal topic. Even valid email addresses can be 'created' on-the-fly using a sophisticated 'bot system (with its own mail server and another bot that parses emails looking for activation URLs).

Having said all that, a good CAPTCHA coupled with simple login+password+email activation should be enough for most purposes.

(Sep 04 '10 at 09:38) Alistair A. Israel

1	For a "Web 2.0 site", see #4 on the list (and maybe the rest of the list as well). hehehe... link answered Sep 04 '10 at 12:35 Bryan Bibat 2.6k●1●1●9 1 Now that's a useful list (in general, not just for this question) (Sep 04 '10 at 13:00) punzie

Since you already mentioned your assumption of a public web site, I'd definitely suggest using authentication via social networks. Top reasons would be:

Users don't have to create yet another Web account
The developers don't have to create their own authentication scheme
It's no longer a foreign concept, even to the most casual Web-surfers who have at least used Facebook

link

answered Sep 18 '10 at 16:14

Nikki Erwin Ramirez ♦♦
1.2k●2●17

The problem I see with here is that when the social network is down (e.g. Twitter), the users of the web site won't be able to login, unless the site provides more than one authentication method.

(Sep 18 '10 at 18:59) Randell ♦♦

That's definitely a risk with this scheme. However, if I'm just starting my Web 2.0 site, my service would more likely go down more often than FB or Twitter would. :p

(Sep 18 '10 at 19:06) Nikki Erwin Ramirez ♦♦

i think some people like to go post anonymously, inventing username and passwords provide that privacy :) unless you make fake twitter and facebook accounts, which is another option you can consider if protecting privacy

(Sep 18 '10 at 23:23) whatever

0	I prefer Login with Social login along with traditional login system. So user can login through either with social logins or traditional login. This system will be powerful and i found this site provides social login with traditional login. link answered Jan 24 '12 at 18:50 Fionaa 1

Your answer

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or __italic__
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

web ×8

Asked: Sep 04 '10 at 01:14

Seen: 4,774 times

Last updated: Jan 24 '12 at 18:50

Best authentication scheme

Follow this question

Related questions