|
|
|
|
|
|
by drostie
3831 days ago
|
|
|
The problem is that then you need to force customers to be on Google/Facebook/whatever. There was (Still is!) something very similar in an organization called CAcert[1], which was a predecessor to the current Let's Encrypt project (free SSL certificates) that hasn't succeeded dramatically because it hasn't been able to get its root certificate into browsers. Basically they host parties, usually alongside a Linux or BSD conference, where trusted members will look at your legal documents and then affirm on their website that you are who you say you are. Some amount of "you are who you say you are" was then needed to get a free SSL certificate. But imagine that in this context: everyone keeps one secure CAcert account, and then when you need to reset your password, some sort of OAuth handshake with CAcert proves it. You have one secure account with CAcert, and all of your utilities and cell phone stuff and PayPal will only reset your password with a handshake with the CAcert servers. [1] http://www.cacert.org/ |
|
|
However, even given such a pure, charitable utility, OAuth is still the best way to do this stuff, and that's really what I meant in my comment. Authing through a universal standard means you're not tied to ANY parties, and you can always offer the best of the bunch as an option. In fact, any such "utility" should enforce interoperability/standardization as a primary feature, lest it leave its users subject to economic/political volatility.
As for forcing customers to be on google/facebook/whatever, I see this as a sub-optimal practice insofar as it does NOT include such a pure utility, but not for any other reason. I don't have up to date data on the topic, but offering both Google and Facebook OAuth surely covers almost everyone, and even for the occasional user of neither it would still significantly reduce account proliferation and bad practices if everyone forced people to sign up for one of a few select accounts vs. the alternative of everyone rolling their own.