[wp-hackers] Should OpenID be in WP core?
mark.wordpress at txfx.net
Fri Mar 9 23:57:10 GMT 2007
On Mar 8, 2007, at 10:17 PM, Matt Mullenweg wrote:
> * If I hadn't been logged in:
> 1. The page tells me I'm not logged in, but doesn't give me a link
> to login because of phishing. I'm asked to go to a bookmark or type
> in WordPress.com.
> 2. I type in the URL to login.
> 3. After I login and it redirects me to my admin page, a little
> notice says there's a openid thingy in progress, and has a link.
> 4. If I click the link it puts me back to #2 above.
This is an interesting solution to the phishing problem. I wonder
how effective it will be. It's pretty much counting on people
getting so used to having to type in the address to get the login
form that internal alarms will go off if they see a WP.com OpenID
login form without having first manually typed the address or clicked
It may act as a Club solution... send OpenID phishers off looking for
easier prey. What are LiveJournal/6A/AOL doing to help prevent
phishing of their OpenID solutions?
But discounting any deterrent factor, I'd guess it would have a
measurable, but not overwhelming effect on the issue. I don't think
that one site is going to be able to erase years of "1. see login
form that looks familiar 2. type in your user/pass" conditioning.
And I, for one, would like to see OpenID (client, not server)
implemented in WordPress. Maybe first as a bundled plugin, and then
as core functionality. It certainly makes turning on "registered
users only" commenting an easier decision on your users. I hate
signing up for new services, but I'd be happy to spend 5 seconds
clicking an OpenID "Allow" button.
Covered Web Services
More information about the wp-hackers