Re: [Snowy] OpenID, user names, and registration (oh my!)

[Sander Dijkhuis <sander dijkhuis gmail com>]

Hi, here are a few thoughts.

Leon wrote:
> I think unique usernames are important, especially for sharing. For
> sync-only users who mainly want to backup their notes and maybe look at
> it them occasionally, it doesn't really matter that much I think.

In that case it seems important to have usernames for everyone, from
the start. If user John would have no username set yet, it will be
harder for user Jane to share her first note with him.

Sandy wrote:
>> I think it would be a better idea to create the user account with an ID
>> at first and require the user change his username in the next step. That
>> way if we decide not to require a username in the future, we simply
>> remove the form field to change the username.
>
> That's an interesting approach.  I'm concerned about letting the user
> change their unique username though.  It impacts URLs and what other
> users see in a fundamental way.  Maybe it's not really dangerous, but
> it just seems strange to let them be able to change their username
> *after* registration.  I need to think about this more.

Note that if Snowy lets the user change his unique username, it should
probably also be made impossible to claim previously used names.

Sandy wrote:
> That's a really interesting idea.  Currently we don't do anything with
> the user's email address.  I guess that for most things, it's not
> necessarily something we should *require* (though of course if they do
> provide one we can send them useful emails).
>
> However, if a non-OpenID user forgets their password, or an OpenID
> user forgets which OpenID URL they used for Snowy, I think the easiest
> way for us to help them is to have a "Forgot your login?" link, prompt
> for email, and then send them a password reset link or their OpenID
> URL, as appropriate.
>
> If we make email completely optional, are users without email
> addresses screwed if they forget how to log in?

I can imagine that remembering which OpenID provider you used when
registering for Snowy, would be about as hard as remembering which
email address you used. So having a "Forgot your login?" might not be
very useful.

The email address might be interesting as a replacement for the
username when sharing notes. When I want to share a note with a
friend, I probably know his email address, and probably am not sure
what username he used to register for Snowy.

Also for the sign-in action, it might be easier to ask the user for an
email address than for the OpenID provider. If the users enters
john gmail com, Snowy assumes that Google is the provider. If the user
enters an address that is not associated with an OpenID provider,
Snowy falls back to old-fashioned email/password authentication. This
approach seems to be suggested by Google's usability research report:

http://sites.google.com/site/oauthgoog/UXFedLogin

By the way, one thing Google's research reports notes about the method
the Snowy branch currently uses, with big branded buttons:
"Some websites that have experimented with federated login technology
have tried adding specific buttons for particular IDPs, in addition to
their regular login box.  For sites with technical users, that has
minimal impact, however sites with a wider audience have reported that
their regular users get confused by these additional options.

[…] Another website might add a sentence to the bottom of the login
box that says "Logins supported from: X Y Z" where X, Y, & Z are small
icons for some large IDPs who are not E-mail providers such as MySpace
& Facebook."

Sander