Saturday, March 16, 2019

authentication - Is it bad practice not to allow users to create an account (versus OAuth or OpenID)?


When creating a website is it poor practice not to give users the option to "create an account"? Especially with rapid development, it seems more secure with less effort to offload authentication. However, many sites that implement OAuth or OpenID also allow you to create an account.


I would not just rely on one or two sources (and definitely not only Facebook connect, if that is even an option), so the user would have choice of services and the option to sign up with one of them.


The specific implementation I use, OAuth, OpenID, or any other third-party identification is ultimately trivial, but is it bad practice not to allow users to create an account, even in the name of security?



Answer



There are very few times when I feel it is appropriate to only have external logins. If what you're doing is tightly coupled with the service that you're using for a login (e.g. Klout using Facebook and Twitter), then I'm willing to make an exception. I know some of the Stack Overflow guys might disagree with this (see here), but I prefer to keep things decoupled, and while I might be in the minority, I'm not alone.


As I see it, you have two options:



  1. Only use OpenID / OpenAuth / etc. and lose a small number of potential users.

  2. Include the option for a separate login at the additional expense and make sure everyone is covered.



The biggest question is whether or not that tradeoff of missed users to saved hassle is worthwhile. I think it's obvious that my weight is behind the second option, but it really does depend on individual circumstances.


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...