© Drfloob.com 2008 
My words are licensed under a Creative Commons Attribution-Noncommercial 3.0 Unported License.
My name is AJ, and I'm a web developer and software engineer out of Southern California.
Written one year ago
Logins are annoying. We live in a time where a single button click determines some websites' entire monetary worth (CTR). It's a pain to make users jump through hoops, requiring this terribly awkward signup, validate email, and finally login process. I just don't want to make people do it anymore.
I'm building a fun little toy website. I've had the idea since November 2008, and I'm finally getting around to building it. The idea isn't set in stone yet, but in general:
It's not very complicated that way.
The site also provides a very specific service, allowing people to do one rather simple thing in a unique way. That core service doesn't care if you have email or not. It doesn't care who you are or where you're from, just that you're here now and you want to use my service.
So I've decided to make the site completely login-optional. I'd like to make the entire community login-free, but I'm not hopeful that'll ever work out. As it turns out, creating login-optional functionality around a user-generated content community has a mess of technical challenges that I'm only now getting my head around. Here's what I've been pondering. Maybe it'll help you, maybe you can help me ... either way ...
* * *
To reset passwords when people lose them , and for newsletter spam (I hate spam, but I can't neglect it as a valid reason to require email addresses). Having someone's email address is not the only way to authenticate them and reset their password, but it is the easiest I know of, and by far the standard. Other solutions I know of include a series of secret questions & answers (essentially a set of passwords, hopefully less forgettable than the first), and outsourcing the login process entirely (OpenID and OAuth, for example).
But both of those alternatives add a nasty layer of complexity to the signup process. I want to do away with the signup process, so those options have got to go. Anyway, OpenID and OAuth treat a symptom, not the problem. Time to dig deeper ...
You put some of your stuff out there for everyone to see, and you don't want anyone else messing with it, am I right? You've got to lock things down somehow, so you give it to me and trust I'll keep it safe. Passwords are decent way to let me know that you are who you say you are, so I can hand you back your stuff without worry.
Some notable, general alternatives I've thought of are SSH Keyless Entry and Port Knocking. The SSH Keyless entry operates on unique fingerprints associated with a computer, which isn't useful on the web since many people share computers or use public computers. Port Knocking relies on a secret handshake of sorts, requiring accessing clients to send a sequence of packets in the right order and with proper timing, to open the lock. The equivalent web technology would be something like a series of mouse gestures, or typing cadence, both acquired via JavaScript. I'd be at a loss for how to make that work on Lynx, so those are out.
Iris scanning and facial recognition are going in the wrong direction, but I've thought about them! In the end, the simplest way for me to know you're you is if we share a secret word.
The only simple solution I know of is to do entirely without ownership. You can create things and put them out there, but nobody will know it's you who did it.
There are two key issues with this. First, there's a certain incentive that comes with personalization, and that would be lost entirely. Just look at Facebook for a polar opposite example. When a website begins to represent you, it's more than just a tool; Facebook is a habit and even responsibility for a lot of people trying to keep up with social networking and outward appearances. Oppositely, how can a service be at all valuable if it doesn't make people feel anything? People love Facebook. That's really saying something.
The second issue is humanization; there would be none. A community built on top of a faceless mass of anonymous users has worked before (*ahem* 4chan *cough*), but it's the exception to the rule. And I'm not building a site for sadistic tweens; it's more likely my site would be used by families, schools, or retirement home residents. An anonymous, zero-login community sounds like an oxymoron at face value. Having to explain such an extraordinarily unusual website flow to a group of non-technical people is not my idea of a winning game plan.
An alternative is to allow self-reported usernames. This adds a level of personalization to the community, but would do nothing to prevent impostors or people who game the system (10 people reporting the same username would look like one prolific dude). I don't see how anyone could find much incentive for committing either, really, but I'm sure there are people that would do it anyway. Also, if I knew that anyone could easily impersonate me on a website, I wouldn't feel much like investing myself there. It wouldn't feel like it was mine.
What would it be like to have a zero-login community? To begin with, you would not be able to edit or delete anything you contribute. Once it's submitted, it's everyone's property, and only tangentially (insecurely) associated with you. Interactivity would come from an infinite ability to remix public toys, and innovative ways to help people create entirely new one's. The lack of individual filtering ability would probably lead to a lot of chaff, so there would be a constant need to filter as a community (voting, tagging, or some reputation-earning scheme for the content itself).
* * *
What I've mostly settled on is a middle-ground, actually: a login-free system, with an option to personalize / edit / delete / reserve your username given a full-blown 30 second signup process. I'm still fuzzy on the implementation, but I think it's definitely doable. I'd go off about it now, but this stuff is frankly exhausting. Stay tuned for part 2!