[GrinningFool]

No, it's time to kill passwords. If I need to log in, send me two links and/or temporary auth codes: a persistent login clearly labeled, and a transient login for use in public places. If you're a serious site (banks, utilities, etc), use two-factor auth, don't accept anything less and of course, don't persist my login.

Alternatively, I keep hoping to see user-controlled federated ID gaining traction - you know, a personal 'wallet' that I maintain myself and store all of my identity in. And when you want to know who I am, you contact my server and it tells if if I approve it. I'd happily take this extra step every time. However, I've realized that this will never happen - too many people don't care, and no major tech companies are willing to push it for fear for backlash.

While I'm wandering further off-subject (but still reasonably tangential): dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link. One might begin to expect that you add this extra stumbling block to make it harder for me to do what I want - and that's certainly no way to get my business. Every time I get an email from you, I'm reminded that I don't want to be receiving them.

I suppose it's possible that someone has hijacked my email credentials and that they may be fraudulently unsubscribing me. But that's a risk I'm willing to take. You - you hypothetical marketer you - should be too, unless you're a bank. A pissed off customer is not one who will do business with you no matter how many mailings you send.

edit: typos and correctness

[Fishkins]

> dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link.

Isn't this illegal according to the CAN SPAM act, at least for the types of emails it covers? http://www.business.ftc.gov/documents/bus61-can-spam-act-com...

[lutusp]

> Isn't this illegal according to the CAN SPAM act ...

Yes, it is. The Can-Spam Act requires a simple opt-out procedure. Therefore requiring people to sign up in order to opt out is a violation of the law. Also, if you sign up, you become a customer, and as a customer, the company acquires the right to spam you till the sun goes down (the Can-Spam Act doesn't apply to customers).

[GrinningFool]

I'm not sure - in the cases I'm considering, I did initiate a relationship with them however long ago when I registered [for whatever reason], and they are giving me the option to opt out. It's a safe bet that buried somewhere in the ToS I've given them the right to contact me for marketing by registering.

But a year later when they suddenly decide to actually do that marketing, it's annoying because I no longer even know what that account is for - never mind how to log in.

Many places are making it truly one-click, but there are a fair number that still require you to authenticate before you can change 'account settings' like notification preferences.

Erm... TL;DR: Because of the existing relationship, I"m not sure that CAN SPAM applies.

[Fishkins]

That makes sense. I wasn't thinking about that distinction. It's certainly a terrible practice, regardless.

[arjie]

Mozilla's Persona seems like an option. You can self-host and it seems to do what you want.

[GrinningFool]

Thanks, I hadn't heard about that - it's very close to what I'm looking for. I'll be taking a closer look - though without uptake across major service providers, it'll likely remain niche.

(I say this after having only skimmed it - could be wrong.)

[jpswade]

>No, it's time to kill passwords. >don't persist my login

You say no, but it reads yes.

[GrinningFool]

I can see that - though my answer was more of a sidestepping of the question, by prefixing it with "no" it certainly doesn't seem that way.

Q: "Have you stopped beating your wife?" A: "No. It's time to discuss the appropriateness of wife beating."

Hmm...

[_bfhp]

Being that you support wild-abandon ubiquitous centralized digital identity, I'm guessing you use Gmail, in which case you can easily make a filter for the spam rather than going through the trouble of unsubscribing.

[GrinningFool]

That's not quite what I support - I support identity that I control. Centralized with me (for every 'me' who participates). Not with any third party.

Filtering this stuff as spam is a workaround, though, not a solution.