What happened was, I got an invite to Poetica, the new startup by Good Internet People Blaine and Maureen. (Poetica has a strong central idea and is aesthetically a treat.) The login experience was unlike anything I’d seen.
The screen had just one blank space: “Type your email address.” So I picked my address at our textuality.com family domain, where mail happens to go through Google apps.
The next thing I saw was the approval screen from Google saying “OK to use your identity to log into Poetica?” Then there I was, signed-in and seeing the new-user experience. Very, very slick; and of course no passwords involved. Go there, try it yourself, even if you don’t have a Poetica account; put in a few email addresses and watch what happens.
So I asked Blaine how it’d guessed which Identity Provider (IDP) and he said “MX record. But we try lots of other things too.” He listed a few, then wrote Fixing Sign-in, where he digs a little deeper.
So, I thought about this, and decided that:
This is good behavior and should be encouraged;
in fact, it should be offered as a service,
with an open-source implementation if anyone doesn’t want to rely on the service,
and should be protocol-independent, so it’ll work with Persona and SAML and OpenID and whatever comes next,
and it should let humans drop by and set the IDP for any email address they can prove they own,
and the code would be pretty easy to write for anyone comfortable with DNS and OpenID and HTTP and WebFinger and JSON/XML wrangling,
but maybe a little boring, so the people who are qualified wouldn’t bother, and the people who aren’t might find it scary.
So I think I’ll write it. I went and bought findIDP.com/.net/.org. I bounced the idea off Blaine and he didn’t think it was crazy. I don’t think it’ll be expensive to run; but if it is, I can probably get Google or the OpenID foundation or someone to cough up some dough, and who knows, maybe you could run ads on it.
Also I’m a little bored with client-side Java and server-side Ruby; feel like trying out some new technologies.
Contributions
Comment feed for ongoing:
From: Cédric Beust (Jun 12 2013, at 09:20)
This seems backward to me, typing a full email address is more of a hindrance than clicking on logo of well-known providers (Google, Facebook, ...) among a list.
Also, I’d rather choose which provider I want to authenticate with rather than the web site picking it for me (I usually avoid handing out my Google and Facebook credentials, I prefer to send them to an empty OpenID account I created just to that effect).
I’m all for the disappearance of passwords but replacing them with email addresses is not the solution.
[link]
From: Rinie (Jun 12 2013, at 10:42)
It is not e-mail as password, but as a username. That is quite common.
[link]
From: Dick Hardt (Jun 12 2013, at 11:25)
Sounds a lot like Mozilla'a Persona / Browser ID to me.
[link]
From: Anil John (Jun 13 2013, at 03:49)
The protocol independent aspect is very attractive. If the implementer is also given the option of white listing the IdPs it would support some of the Enterprise use cases.
[link]
From: Eran Sandler (Jun 13 2013, at 14:22)
Would be happy to contribute. We kinda lots some openness in recent years where specific major vendors kicked in and left the distributed identity guys some out hanging in there.
Of course, for every data there is meta data so for every authentication there is a meta authentication.
and I am kind of sick from running my own iDP or delegating it to myopenid :-)
[link]
From: Ross Reedstrom (Jun 14 2013, at 12:16)
I've been thinking about the new user sign on experience for free services a lot recently. We're in the middle of rewriting an Open Education focused service for textbook/didactic content. The model we've been trying to adopt is that originally used by stackoverflow (and to some extend, Amazon): allow as much use as possible before requiring sign on at all. Then, now that the user has some 'skin in the game', be as non-invasive as possible to authenticate.
Sounds like this might help the non-invasive bit.
[link]
From: m (Jun 14 2013, at 23:52)
"put in a few email addresses and watch what happens"
I did, and what happened is four 'Sign in with...' buttons appeared, each for a service I do not use and do not intend to use.
[link]