On 11/23/11 11:54 PM, Joe Devon wrote:
>
> I only meant as a backup for BrowserId, not for each website.
Following up on this interesting thread...
In the case of centralized third-party auth, there is *one* entity
responsible for managing that account (Facebook, Twitter, Google), and
ownership of that account should never be revoked (in theory... in
practice there are cases where those accounts are revoked, and that
situation is pretty bad for those users.)
In a decentralized system like BrowserID, where there are many Identity
Providers with varying account revocation / reassignment policies, it's
conceivable that a user would lose access to their email account and
instantly lose access to the web sites that depend on that account via
BrowserID.
I don't think this will be that common an occurrence, but when it does
happen, a fallback exists only if the *web site* has an alternative way
to identify the user. A backup email address is a good idea.
Austin's point is true: web sites can do this now with two BrowserID
calls. That's why I'm not pushing hard on the backup-email flow. That
said, I think it will be worth considering at some point, so that it can
be a unified flow at signup.
SMS addresses this problem only if BrowserID can deliver a trustworthy
assertion that the user owns a particular phone number. I don't know how
to do that at this point, as I don't think there are distributed trust
chains for phone numbers.
-Ben