Tag Archives: authentication

State of Authentication

I’ve been working on some new websites the past month or so, and one thing that has me second-guessing myself and generally wasting a bunch of time is authentication. Ever since I read Jeff Atwood’s post¬†on this issue, I’ve been trying to figure out the ideal authentication setup for websites. Currently, I see 4 options:

Classic username/password

Pros:

  • Fairly straightforward to implement.
  • Everyone is used to it.

Cons:

  • A fair amount of work (ie, a signup page, login page, reset password page, session handling, etc)
  • Forces your users to remember (or more likely, re-use) a password.
  • You put your users at risk if you don’t use good practices to manage passwords.
  • Since most users re-use login info across multiple sites, if they get compromised on one of those sites, and unauthorized user can access their account on your site and cause problems.

Facebook Authentication

Pros:

  • Easy to implement.
  • Easier for your users to gain access to your website.
  • A very large percentage of the internet has a Facebook account.
  • No risk of compromising your users.

Cons:

  • Not everyone has a Facebook account.
  • Those who do might not want to associate it with sites they use.
  • Frighteningly large numbers of Facebook accounts are compromised daily, meaning you can still face unauthorized use of your site.

Basic OpenID

Pros:

  • Doesn’t require your users to signup on your site.
  • Doesn’t compromise users if your database is compromised.

Cons:

  • Slightly more difficult to implement.
  • Can be unfriendly to non-technical users.

JanRain Engage (or similar service)

Pros:

  • Very easy to implement (I’ve implemented JanRain in half a dozen languages/platforms now, and it is incredibly easy).
  • Gives your users lots of options (ie, if you offer Google, Facebook, Twitter, Yahoo, LinkedIn, and Windows Live as options, chances are pretty high that any given user is going to use at least one of those).
  • Doesn’t compromise your users if your database is compromised.
  • No requirement for a user to signup on your site, but you can still get a lot of useful data in some cases (although relying on it probably isn’t a good idea).

Cons:

  • Expensive if you create a lot of sites with low revenue per user (JanRain starts at $10/month).
  • Giving your users a lot of options is nice, but for those who have accounts with a lot of the options you provide, it can be tricky to remember which one you used to signup for which sites.
  • Relying on a third-party for authentication can make your website unusable if there is a technical outage, they terminate their relationship with you, or they go out of business. There are ways to mitigate the last two, but they require a lot of work.

Conclusion

I’m still not sure of the best option when it comes to authentication. It is clear to me that requiring a unique (or pseudo-unique, since users tend to use the same login info for every site) login for each site on the internet is a broken paradigm, but the other solutions have drawbacks of their own. I used JanRain on my last 2 sites, and am generally very happy with it, but I am still fairly uneasy about relying on a third-party service to handle such a critical part of my websites.