At work we’re building our new centralized authentication solution. Allowing OpenID logins is not part of our first release, but it’ll follow at some point in the future, at least if Rob has any say in it. Even though I’ve had an OpenID identity for as long as anyone, use mine extensively and have even implemented my own provider, I’m not convinced it’s a good idea to only support OpenID logins.
The approach taken by Magnolia (who only support OpenID logins these days) and IDSelector (which is supposed to make OpenID usable) is allow users to log in with any of their existing accounts that offer OpenID (Yahoo, Livejournal, AOL, etc). The thinking behind this is that users don’t have to remember a new username and password this way. This thinking is backwards. Users already remember their usernames and passwords. Web browsers remember passwords and people use consistent usernames and password patterns across sites. Both software and humans have adapted to this problem. People haven’t adapted to remembering which account they used to sign into a site.
If I sign up for Magnolia using one of the accounts I have (of the 7 external account types they offer, I have 5) what happens in 2 weeks when my cookie expires and I need to log in again? Even though I might use the same password across all of those accounts there isn’t an easy way for me to remember which account I chose to use to log in. Fundamentally, this approach to OpenID doesn’t give users less things to remember, but more.
I think a better approach is for site to allow either local logins or OpenID identities. When offering OpenID logins it’s important that sites help educate users about the value of OpenID rather than hiding it.