Which authentication mechanism to choose?

Question

Well, on my free time, I'm making this small web site. The site will not require to authenticate, only some actions (like leaving a comment) will require to do so.

I would expect to have up to 100 (probably less) unique visitors a day. I don't really expect more than 50% to (bother to) register.

Right now, I'm thinking of three possible authentication mechanisms (but I'm open to suggestions):

• OpenID authentication;
• HTTP Digest or at least HTTP Basic authentication;
• My own (form based) authentication.

OpenID seems to me a little bit of an overkill for a small site like this. Also, buzzword like "OpenID" on the login page of my site might scare away the less tech-savvy people.

HTTP Digest (or Basic) authentication provides a low security level (or none at all), because the site will not be under HTTPS.

My own implementation would, most likely, suffer the same security problems as the HTTP Digest would. Although, I could implement some more protection against brute-force attacks (display a captcha after three failures etc).

What other mechanisms would you suggest? What are the pros and cons that I'm not seeing? What would you choose?

Answer 1

Well, if you want your visitors to leave comments I really think you're better of with something like OpenID. Because if you provide your own form based authentication who will really bother registering yet another account with some password wondering if they can trust you?

I think it's safe to say that people who like the internet own a gmail account, and all those people have an OpenID (Google account).

I suggest you use that... that's what I would do.