… and Why we decided not to use OpenID for now

According to Wikipedia, “OpenID is an open, decentralized standard for authenticating users which can be used for access control, allowing users to log on to different services with the same digital identity where these services trust the authentication body.”

This technology has caught on in the past couple years with web applications as an alternative to creating application-specific login accounts and passwords. Some of the popular websites to offer similar OpenID implementations include MySpace, Google, Yahoo, and Twitter.

When designing the YOUffiliate login/authentication system, we toyed with the idea of implementing OpenID support, thus allowing our members to login with their Twitter, Facebook, etc. accounts. (In fact, our first implementation required Twitter logins, and our second implementation allowed optional use of Twitter logins). However, for a few reasons I will mention below, we finally decided against this OpenID login system for now, and developed our own login system. For now, this gives us the flexibility we need and better fits our overall business model. The following outlines some of our concerns and important considerations for and against using an OpenID system:

Pros for using an OpenID authentication system with YOUffiliate:

• Users are more likely to sign in to try an application when they can simply use an existing (Twitter, Facebook, etc.) account. They don’t need to sign up for another service and keep track of another password. (Speculation, only!)
• Once logged in (let’s say they are logged in via Twitter’s Oauth already), the YOUffiliate platform can already have access to the user’s Twitter API for posting Tweets. This eliminates an extra step of the user authenticating Twitter again. Same goes for other social applications.
• Logging in via an OpenID will potentially give us access to some of the user’s publicly available information – such as public Twitter profile, number of followers, Facebook public profile information, etc.

Cons for using an OpenID authentication system (Pros for using our own!):

• Reduces the complexity of allowing many different auth systems. We only need to keep track of 1 account for authentication – our own.
• OpenID’s rely on that third party being available. Even though these are big sites (Yahoo, Google, Twitter), they all experience unexpected down-time now and then. Being tied to a third party site for authentication is somewhat a liability in this sense.
• A more likely situation where being tied to a 3^rd party would be a problem is if we ever decided to stop working with a certain 3^rd party. Let’s say down the road we decide that we no longer want to integrate with Twitter. What happens now to all the users that are using Twitter Oauth to sign in to their YOUffiliate account?
• OpenID security weaknesses. Some people just get straight up confused when presented with a OpenID sign in box. Others are wary and think something fishy is going on when they are prompted for their Google password to access a 3^rd party site. Read more about OpenID’s security vulnerabilities with regard to phishing and TLS.
• Control over accounts. Using our own authentication system, we have full control over users, usernames, passwords, change of passwords, etc. Some may argue that this is a pro of using OpenID.
• Multiple users using one login. This was a pretty strong reason for us to implement our own authentication system. Our advertisers and affiliates are not always individuals. In many cases there are teams of people who need access to a single YOUffiliate account.Here’s an example: Lets say ABC Shoes is a YOUffiliate advertiser. Joe and Jane work together as administrators for ABC Shoe Company’s YOUffiliate advertiser account. When Joe signed up, he was prompted for his Google account and password, so not knowing any better, he signed up with joe@gmail.com. Now, when Jane wants to access ABC Shoe Company’s YOUffiliate account, she asks Joe for the login. Joe shudders – he either has to tell Jane his personal account info, or sign up for a new account.

Of course, every situation is different, and in fact, there are many cases where OpenID is a perfect solution to use. If security is extremely important for you (I haven’t yet seen a bank that supports OpenID), you may want to think twice before using OpenID. If you want an authentication system for your blog/personal website, OpenID is great! The important thing is to do your own research, analyze your own business model, and determine for yourself whether OpenID is the best choice for you.

These days, links around the Internet pretty much come in two flavors: super short, and super LONG! We’ve all seen link URLs that go on and on in our browser’s address bar, and experienced trying to delete 100’s of characters, while wishing the backspace key would work faster! We’ve all seen the likes of platforms such as Amazon and Ebay, with their infinitely long URLs, and if you have tried to email these links, you might have experienced URLs being cut short, and as a result, rendered useless to the email recipient.

According to CNET, in about 2002, one of the first URL shorteners, TinyURL came about. At the time, I would guess that most people could not see the point in having a short URL. It’s not exactly common knowledge that email line-length is an actual specification by RFC 2822 or RFC 5322 that says “There are two limits that this standard places on the number of characters in a line. Each line of characters MUST be no more than 998 characters, and SHOULD be no more than 78 characters, excluding the CRLF.” (check out Dan’s Mail Format Site if you don’t believe me ). However, as the social web came about, and Internet users started using short messages such as Tweets and Facebook status updates, users quickly discovered that the 200 character URLs were just not working anymore. Twitter saw this, and hooked up with bit.ly as a URL shortener, and an array of different URL shortening services sprouted up.

Take a look at this article on CNET, that lists a number of the different options for URL shortening. With all these options available, what’s the difference between all of them, and what do should you look at when deciding which to use? Here at YOUffiliate, we are currently evaluating the best option to use for URL shortening. Here’s some of the considerations we are looking at to make our decision.

• Length of the URL – Because our ads must fit in a Twitter 140 character message, we need to ensure our links are as short as possible. Thus, URL length is extremely important to us. For example, URL shortener is.gd (http://is.gd) advertises itself as “The Shortest URLs Around”, and at 5 characters, it pretty much is as short as you can get… until you find j.mp (http://j.mp), and realize that you can save 1 additional character! Services such as MooURL (http://moourl.com) are not options for us, as the domain itself already chomps 10 characters of our 140 character limit.
• API Versatility – As YOUffiliate’s URL shortening happens automatically behind the scenes, API access for creating short URLs is important. Do some research on the API accessibility of your link shortener, if this is important to you.
• Statistics – Some link shortening services offer real-time tracking statistics. Be wary about using these statistics as fact. I’ve read many cases where the tracking numbers appear very skewed from the actual number of clicks actually received.
• Stability / Reliability – If you are running a service that relies on links being up at all times, you had better choose a link-shortening service that is reliable. Read the reviews before choosing, and don’t be the first big site to use a brand new link-shortening service…unless you really believe in them.
• Usage Terms of Service – Some URL shortening services such as Bit.ly (http://bit.ly) list in their fine print that “you may only use the Site for your own personal and non-commercial purposes”. Commercial usage for these sites may require an additional agreement, and some can be quite expensive. (bit.ly PRO Enterprise is $995 /month!)

Other options:

• White-labeled services – Check out bit.ly PRO, which offers “’end-to-end branding,’ which replaces the bit.ly domain with a custom domain name (like nyti.ms).” This may be more costly, but it is definitely an attractive option for those that need it and can afford it.
• Roll your own – How hard can link shortening really be?? If you’ve got the guts, go for it! Depending on what your needs are, and how short of a URL you really need, this may be a viable option for you. Unfortunately, domain names with short names (ie. 4-5 characters long) are extremely rare to come by now-days. If you have a reasonably short domain name, you can probably crank out your own link-shortener fairly easily!