New Web App / Website - Authentication


(Not sure if this was a programming or startup question, but I will ask you guys) Authentication on a new website:

Should I go with OpenId, or use my own Forms-based authentication. My website is not geared towards technology buffs, so I am thinking I might scare people away with OpenId. Also, Forms-based is a lot easier (for me) to get up and running.

I would like to offer OpenId in future releases, but I am wondering if I am going to cause myself more headaches by not fully implementing OpenId in the beginning.

Website Security

asked Oct 26 '10 at 22:55
1,340 points
Top digital marketing agency for SEO, content marketing, and PR: Demand Roll

6 Answers


Why not offer both? I would definitely go with forms-based authentication, specially if your users are not tech savvy, OpenId is great but I have heard from many people offering SaaS solutions that not many people use it. I am currently working in a SaaS product myself and I am using forms-based authentication... if enough people ask about OpenId then I'll implement it later.

answered Oct 26 '10 at 23:29
4,815 points
  • That's what I was leaning to ... plus I am reading *Getting Real* by 37signals, and I am going to go with whatever makes me release faster. Then like you said, it users want it, I will add it. – Martin 13 years ago


It depends on your market but I would generally say no.

You're unlikely to lose users by only implementing forms based, but you may lose them if you only implement OpenID.

If this is true for your market, you need to implement forms based. You can add OpenID at a later date, but you should only do so when you have nothing more important to add (which may well be never).

answered Oct 28 '10 at 02:28
John Plummer
566 points


I personally dont see any reason to adobt open id. The benefits for small sites are not that great. As for user experience, i think its about the same. Its nice to be able to do a one click registration, but asking someone for an email, name and password is not that devestating where you are going to lose users.

My opinion do what is easiest.

answered Oct 26 '10 at 23:24
2,079 points


You should implement form based authentication, but take care on what platform you'll use.

For instance, if you're using Ruby On Rails, you could use or - that will allow you grow your authentication mechanism as your needs evolve.

You'll find that with most modern web frameworks there are plenty solutions like that available.

answered Jan 7 '11 at 21:09
704 points


If you are going to offer OpenId in future releases I would suggest that you either implement or at least work out how you are going to implement it now.

If you build a username/password type sign on and later want to add OpenId support you may find yourself rewriting large parts of the code and database, not to mention having to rework the whole flow of the sign on process.

If you at least think it through (how will you display, store and authenticate different users) and have your database ready with any extra columns you can make the decision to adopt or not at a later phase.

answered Oct 27 '10 at 10:11
1,257 points


Just go with the forms-based authentication. If your app gets up and running AND you see a demand for OpenID you can look at implementing it.

I've never seen a web-app where OpenID made up any signficant number of users (say more than 2%). In addition, with the popularity of Facebook, Twitter, and LinkedIn sign-in you would probably be better off (after your app is running) looking at implementing those.

Stop 10 random people tomorrow and ask them if they have an OpenID (outside of a developers conference or the Google campus). I would be shocked if more than 1 of them said yes. Then ask them if they have a Facebook or LinkedIn account. You'll probably get 5-6 yes responses - more if you are asking younger people and/or office workers.

answered Jan 7 '11 at 15:46
146 points

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Website Security