这验证机制选择? [英] Which authentication mechanism to choose?
问题描述
好了,我的空闲时间,我正在做这个小网站。该网站将不要求进行认证,只有一些操作(如在离开的注释)将要求这样做。
Well, on my free time, I'm making this small web site. The site will not require to authenticate, only some actions (like leaving a comment) will require to do so.
我希望有多达100个(可能更小)的独特游客一天。我真的不希望超过50%(费心)注册。
I would expect to have up to 100 (probably less) unique visitors a day. I don't really expect more than 50% to (bother to) register.
现在,我正在考虑三种可能的身份验证机制(但我愿意接受建议):
Right now, I'm thinking of three possible authentication mechanisms (but I'm open to suggestions):
- OpenID身份验证;
- HTTP摘要或至少HTTP基本验证;
- 我自己的(形式为基础)的认证。
的OpenID在我看来矫枉过正像这样的小网站一点点。此外,流行语,如OpenID的我的网站的登录页面上可能会吓跑精通技术的人少。
OpenID seems to me a little bit of an overkill for a small site like this. Also, buzzword like "OpenID" on the login page of my site might scare away the less tech-savvy people.
HTTP摘要(或基本)身份验证提供了一个低安全级别(或根本没有),因为该网站将不会在HTTPS。
HTTP Digest (or Basic) authentication provides a low security level (or none at all), because the site will not be under HTTPS.
我自己的实施将,最有可能遭受同样的安全问题,将HTTP摘要。虽然,我可以实现对蛮力攻击一些更多的保护(经过三次失败等显示CAPTCHA)。
My own implementation would, most likely, suffer the same security problems as the HTTP Digest would. Although, I could implement some more protection against brute-force attacks (display a captcha after three failures etc).
您有什么建议其他机制?什么是我没有看到的优点和缺点?你会选择什么?
What other mechanisms would you suggest? What are the pros and cons that I'm not seeing? What would you choose?
推荐答案
这取决于谁在你的目标受众是一部分。如果他们都是电脑爱好者,去与OpenID的。他们要么熟悉它,或会明白你在做什么。如果他们不一定是电脑发烧友,他们可能没有接触过的OpenID认证还,所以OpenID的可能present进入障碍。在这种情况下,你可能会想要去一个更传统的路线,如注册/验证电子邮件/登录的方式,无论是滚你自己或关闭的,现成的。
It depends in part who your target audience is. If they're all computer geeks, go with OpenID. They're either familiar with it, or will understand what you're doing. If they're not necessarily computer geeks, they may not have been exposed to OpenID authentication yet, so OpenID could present a barrier to entry. In that case, you might want to go a more traditional route, such as register/validate email/login approach, whether roll-your-own or off-the-shelf.
这篇关于这验证机制选择?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
