Say I have a site, like StackOverflow, which supports OpenID login only. Suppose someone had an account on the site, bound to his OpenID, and then he lost access to his OpenID provider (that’s surely possible and not harder than losing your email password). How would he then restore access to his account?
I see two options: one is the usual mail-me-a-key sequence, only appropriate if he had provided an email address.
Two is he could have provided a backup OpenID for such emergencies (that’s what SO does i presume).
How do you (or would you) implement access recovery with OpenID? Any thoughts?
I’m using RoR + Authlogic-openid, if that matters.
I wouldn’t. I’d rely on the user’s ID provider to handle this. If the user’s provider doesn’t, well, the user should pick a new provider next time 🙂 This may sound user-unfriendly, but it just pushes the requirement to the provider, which is part of the OpenID philosophy. Losing access is not the worst thing the provider can do to the user, so I feel comfortable relying on the provider to deal with the situation properly.
One way to be helpful is to allow the user to associate a second identity with their account – a user who loses access to one can use the other. This has to be done, by the user, before access was lost, however.
This is what StackOverflow does – you can add additional identities while authenticated, and if you log out and try to log back in, you aren’t offered a non-OpenID login option.