Replacing OpenID

  2008-09-22


OpenID has admirable goals: reducing the number of accounts you have to create and manage on the Internet. However, as I mentioned in my last post I’m a bit disappointed with how OpenID has worked in The Real World (that place that doesn’t care how pretty your APIs are).

So I thought I’d recommend an alternative: e-mail authentication.

Here’s how it works:

  1. Enter a comment on a blog with all the usual info: name, e-mail, an optional URL, and the comment.
  2. Receive an e-mail with a link that has a unique verification ID.
  3. Click the link, pass an optional CAPTCHA, and your comment is approved.
  4. Receive a cookie containing something like hash("secret"+email), so you don’t have to re-verify every time you comment.

Making it better

Add a Jabber field as an alternative to e-mail. Only require the user to enter one or the other.

What am I missing?

This all seems way too simple of a solution, so I’m guessing there’s something I fundamentally don’t understand about OpenID. Good old e-mail verification just seems like a mechanism even your average user-who-uses-the-same-password on every site can understand.