OpenID has admirable goals: reducing the number of accounts you have to create and manage on the Internet. However, as I mentioned in my last post I’m a bit disappointed with how OpenID has worked in The Real World (that place that doesn’t care how pretty your APIs are).
So I thought I’d recommend an alternative: e-mail authentication.
Here’s how it works:
- Enter a comment on a blog with all the usual info: name, e-mail, an optional URL, and the comment.
- Receive an e-mail with a link that has a unique verification ID.
- Click the link, pass an optional CAPTCHA, and your comment is approved.
- Receive a cookie containing something like
hash("secret"+email), so you don’t have to re-verify every time you comment.
Making it better
Add a Jabber field as an alternative to e-mail. Only require the user to enter one or the other.
What am I missing?
This all seems way too simple of a solution, so I’m guessing there’s something I fundamentally don’t understand about OpenID. Good old e-mail verification just seems like a mechanism even your average user-who-uses-the-same-password on every site can understand.