[wp-hackers] Should OpenID be in WP core?

Mark Jaquith mark.wordpress at txfx.net
Fri Mar 9 23:57:10 GMT 2007

On Mar 8, 2007, at 10:17 PM, Matt Mullenweg wrote:

> * If I hadn't been logged in:
> 1. The page tells me I'm not logged in, but doesn't give me a link  
> to login because of phishing. I'm asked to go to a bookmark or type  
> in WordPress.com.
> 2. I type in the URL to login.
> 3. After I login and it redirects me to my admin page, a little  
> notice says there's a openid thingy in progress, and has a link.
> 4. If I click the link it puts me back to #2 above.

This is an interesting solution to the phishing problem.  I wonder  
how effective it will be.  It's pretty much counting on people  
getting so used to having to type in the address to get the login  
form that internal alarms will go off if they see a WP.com OpenID  
login form without having first manually typed the address or clicked  
their bookmarklet.

It may act as a Club solution... send OpenID phishers off looking for  
easier prey.  What are LiveJournal/6A/AOL doing to help prevent  
phishing of their OpenID solutions?

But discounting any deterrent factor, I'd guess it would have a  
measurable, but not overwhelming effect on the issue.  I don't think  
that one site is going to be able to erase years of "1. see login  
form that looks familiar 2. type in your user/pass" conditioning.

And I, for one, would like to see OpenID (client, not server)  
implemented in WordPress.  Maybe first as a bundled plugin, and then  
as core functionality.  It certainly makes turning on "registered  
users only" commenting an easier decision on your users.  I hate  
signing up for new services, but I'd be happy to spend 5 seconds  
clicking an OpenID "Allow" button.

Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list