[OSM-dev] User authentication/Single sign on

[Sven Anders]

Am Samstag, 29. November 2008 17:21 schrieb David Earl:
> (b) that it was incredibly slow. It has to bounce back and forth between
> two, sometimes three, different web sites several times and do some
> amazingly complicated maths on the way. It was especially slow the first
> time someone logs on (after which it has some stuff cached, but isn't a
> very nice first impression)

Can you say it in seconds not in words?
"especially slow" is very diferent from user, to user.

> OpenID is a nice idea, but the advantage of a cross site login is lost
> in the overhead of using it in my experience.

I use OpenID everywhere where I can, it it is for me no overhead, but I good 
way not know much passwords..

> The biggest criticism of openID is the vulnerability of users to
> identity theft: a user can be phished by an unscrupulous site into
> entering their login details at a site which looks like their openID
> provider but isn't, and therefore lose their password - which of course
> gives the intruder access to not one but a wealth of sites used by the
> victim.

But if it isn't there will be a other URL displayed in the browser window.
One the other hand, 
*there are plans to implement OpenID in your Operating System. 
*you can use browser TLS certificates to login to OpenID. This is safer than 
my Online Banking at the moment.

>
> So on balance I think I'd say don't bother - just re-register with the
> same name and password at the partner site.

And if one site is hacked, everybody would know your password and can login to 
every site :-(

I would like a solution where the user can choose, if he wants to use single 
signon (with overhead) or not (and must register and know passwords on and 
on).


Sven