For a web based hobby project I want to allow users to log in and save data in their own accounts. I want to make this as simple as possible (both in terms of development and user experience) but I don't want to force users to use (for example) Facebook connect.<p>Here are a few pros and cons I've considered:<p>* Email+password. Pro: does not require users to have an account elsewhere. Cons: requires users to create yet another account; also requires me to write a lot of boilerplate code ('confirm password' functionality, 'forgot my password', etc.).<p>* Login with Facebook/Twitter. Con: forces visitors to have one of those accounts. Pros: most people have one of those; it allows login/signup with just a few clicks.<p>* OpenID. Pro: most people have this. Con: I'm not sure if the average internet user knows what it is (i.e. requires explaining that a Gmail-address is also an OpenID).<p>* Mozilla's BrowserID. Pro: seems easy to implement and easy to use. Con: I doubt that this is widely known and used.<p>What are your opinions as users? How do you prefer to log in? Any feedback is highly appreciated!
Email+password. As a user with a password manager (LastPass), I can log in with one click, use a unique password everywhere, and never forget a password. Can't beat it in terms of usability.<p>From the developer's perspective, there's a bit of boilerplate to be done, but it's nice to own the data and not rely on third party platforms.<p>I think there's an unfulfilled need for identity management by password managers. Why do I have to enter the same information everywhere? It would be nice to be able to click a "Create Account" button on a website and have it get my name, email, and new password from the LastPass plugin over a standard protocol.
I kinda like how easy facebook/twitter makes logging in to new sites, but I find it annoying when they request for permissions they do not really need.<p>Then again I like when a site allows me to create new account for the site, because this does not share my social data to the site, but the registration process is annoying, because I of course want to use the site right away.<p>OpenID is pretty cool system, but I do not use it, because I do not use any of the OpenID services like Google anymore.<p>Never before heard of Mozilla's BrowserID, so can not say much about it.<p>These days I have been thinking about system where log in form asks for email address and password. Then the client will send this email address to the server and the server will check if the address already exists in the database.<p>If the email does not exist then the server will reply to the client and the client will send the password to the server and the server will register new account and authenticate the user right away. Then the user can do whatever they need to do on the site.<p>If the email does exist then the server will reply to the client and the client will send somekind of hash generated to the server to authenticate the user. The hash function will use the user password as the secret key. Once the server receives this hash it will authenticate the account if the email and password were correct.<p>I think this kind of system would simplify the registration process. If you need the email address verified you can send the verification email on the registration process, but do not require the email to be verified right away, because it's damn annoying to go to your email to click the damn link to verify your email address which usually opens new tab in your browser when you already most likely have the site in open tab.
I might be a part of the minority, but generally I would rather give up my (Facebook|Twitter|GitHub) account than create a new account, for a few reasons.<p>1. My email is more important. I generally don't want you to have it if I feel like you might bug me. I can disable your access to my info on Facebook (and usually do), but with email you can still send me things I don't want.<p>2. I don't want to have to sign in. With Facebook logins I can usually click 1-2 buttons and I'm in. That's what I want. Unless my interest is particularly piqued, I will probably just Cmd+W you out of my life. :)<p>That being said I would never do something like this for say, my online banking account. But for social/online services? I would definitely take this route.
mathijs, you might want to look into remoteStorage. It’s an open protocol for per-user data storage. As it also has identification & authorization, the log in is inherent. It’s kind of like OpenID + Storage, except that we don’t use OpenID (but rather Webfinger, OAuth, CORS and Get put delete on a key value store).
For a developer, you just put in the remoteStorage.js client-side library and that enables everyone to log in to your app with their remoteStorage.<p>Check it out at <a href="http://unhosted.org" rel="nofollow">http://unhosted.org</a> and <a href="http://www.w3.org/community/unhosted/wiki/RemoteStorage" rel="nofollow">http://www.w3.org/community/unhosted/wiki/RemoteStorage</a>
There is also an IRC channel, #unhosted on freenode.
Usually I rather create new account instead of giving my facebook info for the site I do not trust.<p>We went with approach A and B for our site <a href="http://jackpotbuddy.com" rel="nofollow">http://jackpotbuddy.com</a>. We kept the Email+password signup to just 4 fields (Name, email, password and confirm password)