What if the user can't log in with their OpenID?

Question

Scenario: A user logs into a site (like StackOverflow) with an OpenID. A year later they return to the site but their OpenID provider has gone out of business and won't let them log in.

How best should they recover from this situation? And are there any OpenID-enabled sites you know of that have already implemented a solution for this?

There is an excellent article here about relying party best practices and they have a good suggestion but I'm still looking for an example of this in action:

Provide Lost Identifier functionality to switch to a new identifier without access to the old one

Provide a mechanism to switch an account to use a new identifier without access to the old identifier(s) associated with the account. This can take a similar form to the traditional "Forgot your password?" email verification dance, assuming that you have the user's email address on file.

Rationale: Users will sometimes lose the ability to use their identifiers, such as when their provider ceases to offer service to them. This functionality allows users to recover from this situation without losing their data.

I have some vague idea of how I can accomplish this with a token of sorts that's sent to the user's email address. But again, if someone else has already figured out a good solution with details I may not have thought of yet, then that'd be better.

Answer 1

I implemented the account recovery feature I was thinking about. After letting the idea simmer for awhile, I think I've come up with a pretty simple process for the user that's still secure.

Here's the process:

1. Click the "having trouble" link under the OpenID buttons.
2. Type in your email address and click "Send Account Recovery Email."
3. Open the email and click the link. (The link has a one-time-login token in the querystring.)
4. You'll automatically be logged in to my site (the one-time-login token will be destroyed so it can't be used again) and you're instructed to login with a secondary OpenID.

I also made a video demonstrating this:

http://regexhero.net/blog/2010/01/using-openid-on-regex-hero.html

Answer 2

StackOverflow allows multiple OpenIDs to be associated with an account, so you can set up a backup provider.

Another solution might be to collect the user's e-mail address, and send a reset link to that e-mail address.

Ultimately, you're going to have the occasional user in any system that can't be dealt with automatically. Even without OpenID, it's easy for a user to lose access to their e-mail and forget their password, or to forget both their username and password. Sometimes, the only solution is going to be either "you need to sign up again" or "our customer service folks have granted you access to that account".

Answer 3

One thing you could do would be to also build your site to not only be a openID Consumer, but an OpenID Provider. That way if, for some reason, a provider goes out of business, you can have your members simply log in using your provider, and allow them to get their profile back somehow. Like how SO allows multiple IDs, or perhaps just having a migrate functionality from one ID to another. Your biggest problem is going to be the fact that their original ID can't be authenticated. I'm not sure allowing multiple IDs will alleviate that, but it might prevent such situations if your users are proactive.