Rethinking the User Login Process: User/Display Name and OpenID

Question

Using openID has brought up some questions that I'm hoping the SO community can help me answer.

OpenID and the (now obsolete) Username

From what I've read, one of the main goals of openID is to eliminate the need for someone to create yet another username and password for some site they may only use once. While I think this is a really awesome idea, it does cause one point of confusion.:

Usernames are used not only as an authentication device (login credentials), but as a means of identifying a user as the create content on a website (comments, thread posts, etc.).

My Concerns

1. What do I use to identify someone on the site as they move through it? Do I still request they choose a username when signing up for my site?
2. I've noticed on sites like SO, a "Display Name" is used instead of a username. This is a field that can be changed by the user.
   • How do you avoid confusion when a user decides to change their display name?

Restricting Who Can Login to Your Site Even If They have a valid OpenID

Imagine the following scenario:

• You have a website that you only want you and three friends to be able to access.
• In a traditional user authentication setup, you would create the accounts for your three friends manually and then email them their login credentials. In this case, however, you want them to use openID.

My Questions

1. How do you restrict openID authentication to a very specific subset of poeple?
2. How do you set up accounts for people who have yet to authenticate to your site using OpenID?

Thanks again, SO community for your time and help with this. You guys are awesome.

Answer 1

How do you restrict openID authentication to a very specific subset of poeple?

Can't you just make an account for them, and disable registrations, so that only they can sign in? When using OpenID, you still have user accounts, so you can do similar restrictions to what you could do normally. You can treat the OpenID similar to a username and only allow certain OpenIDs to register/login.

How do you set up accounts for people who have yet to authenticate to your site using OpenID?

I'd probably ask for a display name during the registration process. Some OpenID providers pass a display name back after authentication, which you could probably use if it's not taken on your site yet.

Answer 2

Ebay has one method for avoiding confusion/fraud with name changes (or did a few years back). For 30 days or something like that, there is a badge next to your name that says you just changed your name. If you wanted to, you could even provide full name history.

As far as limiting access, they still have accounts on your site that are created by your site's code. OpenID just provides the authentication mechanism. You could still require, say, that all new users are validated by an admin before they can access important parts of your site.

Another way to describe it is to think of authentication and authorization as two different concepts. OpenID only covers authentication. Your site would manage the authorization for an authenticated account.