Should you use OpenID or other website’s services (facebook, twitter) for website login?
Recently I was developing a website where the owner was interested in use OpenID for their user to login with. Now there are many positive reasons to use an OpenID login, but before jumping into development I conducted research into the pros and cons of such a login method. In the end we decided not to use OpenID for it appeared to be a nightmare.
In short. I personally would ‘almost’ never opt to using OpenID or other similar login services from other website as a login system for my site.
‘Almost never’? I hear you say. We’ll it does have some advantages but in short I would not use it. Unless there was a significant advantage to use it. Such as accessing a users facebook friend list.
What is OpenID?
OpenID is a system where you can allow users to login to your website via a third party login systems. If you have an account with a site that supports OpenID then you can log into another other sites that support OpenID with the same login.
Other websites login services
The most popular ones here are twitter and facebook. They provide their own login service for other websites to use. For example a website can opt to use the facebook login service to enable users to login to their site. So if a user has a facebook account they can use that for login, via the facebook login service, to login to your site.
Reason why NOT to use an OpenID system or external website login systems
From what I can tell the cons out way the pros. After much research, testing, article reading, pod cast interviews, etc, these are some of the points that I have discovered in not supporting the use of external login services.
- It is a solution to a problem that does not exist. Users have no issue with creating accounts, most people on the internet are accustomed to it. The normal process for creating a membership and login is not faulted and not a problem. So fixing something that is not an issue is adding overheads.
- By using OpenID or another service you are proving that third party service with analytical data about your site. Data that can they can use for their own purposes. IE who uses your site, how many login you get, etc.
- If something changes in the API for the external service (ie the way the code works) then your website will need to be updated in order to cater for these changes. And in the mean time it would be possible that users cannot login to the site.
- If the service that is providing the login fails or goes down, then no one can login to you site and there is nothing you can do about it. It is beyond your control and people cannot login.
- If a site offers multiple choices for login, people may still get confused as to which one they used. IE if they used their facebook account or their google OpenID?
- The terms and conditions used for some of these services allow users details to be passed around without your knowledge. It has been known for login providers to supply your details to third party sites that you login to without your permission. These sites pay for the privilege.
- If the third party login service blocks or deletes a user’s account the user will not be able to login to other sites that they have used the third parties login service. IE if you use facebook to login to a website and facebook blocks or deletes your account (which facebook can do without warning), you cannot access any websites that you have used your facebook login with. This will also cause the lose of your data within these websites as they are tied to a facebook account that no longer exists.
- Using other services and OpenID can created more work for the development of the site. Plus difference login systems work in difference ways. Hence multiple systems need to be developed to handle the different login types.
If you are running a business with membership you will be relying on your login system. If the login system goes down and customers cannot access the site then this is very costly and completely out of your control. Your business will shut down and nothing can be done.
There is also an issue if users do not remember their login or which login service they used. Because you cannot inform the customer which one they used or even reset password for them. This makes the process more difficult for the customer if something goes wrong.
For all these reasons I would not use an external system. I think it puts your website more at risk than solving issues.
Why should someone use OpenID or another login service.
So it still has good points but not enough for me to gain its favor.
- If you do not have a login system or do not know how to build one, using an external solutions can be useful, secure and quick.
- Users may recognise the OpenId supplier who they trust. Users are more likely to sign up to your website with a trusted login supplier
- Services such as facebook can provide other information about the user that can be useful for your site. Such as a list of friends, avatar, etc.
There are arguably more benefits of OpenID in the long run but for the purposes of an important website here and now, I cannot think of much more.
Personally I would not use a third party service as the sole access to my website. Maybe if multiple options are included but then development, maintenance and work load is increased. In addition you would always need to have your own login to maintain the integrity of your business and service to clients in-case something goes wrong with the third party. So I do not see a reason to use these services unless you have something special to gain from them and are prepared to deal with potential headaches.