Everyone hates juggling usernames and passwords. So all the great activity around OpenID, Facebook Connect, and more recently OpenID and facebook – all which suggest that mainstream use of open web authentication schemes are reaching critical mass.

I like the idea, a lot. However, I think it’s a bit early to bet on one horse – so why not add more to the mix. I like twitter’s generally open approach, so why can’t they play in this space.

So, here’s a proposal on how anyone can use twitter as an open authentication scheme to log into their site:

The first step is a login page (screenshot below) which gives you a unique one-time authentication key that is used to identify your session. In this example the one-time code is “82kjx_OneTimeAccessCode_IeZh9els” and it is designed to be tweeted (probably best to DM) to the web site owner’s account (”SiteTwitterName”in this case). By DM’ing the one-time code to the site owner you link your session to a specific twitter account, and by DM’ing it, you provide proof that you own that twitter account. To make this easier to tweet, you could add a “copy to clipboard link”, or “tweet to login” button/link which would automatically prepopulate the tweet in a browser window (see next screenshot).

Below is a sample of what the page might look like after you click the “tweet this to login” button.  You can imagine the button creating a popup window like this (if the browser allows popup windows). On twitter, it’s easy to prepopulate a page with a ready-to-tweet message like this. Just open a page with the URL:

http://twitter.com/home/?status=d%20SiteTwitterName%2082kjx_OneTimeAccessCode_leZh9els

And that link should give you a page similar to the one below:

Then, once you send the DM through twitter. The website can use the twitter API to read the DM and then make a connection between your twitter ID and the unique session key in order to authenticate you. At that point, your original login page can be refreshed, logging you in automatically. Voila, you are logged into a website using your twitterID as the account name:

A login scheme like this would work with twitter, but equally well with any messaging or IM service that’s sufficiently quick and also has an API. One of the best things about it is that it doesn’t require any endorsement of the service provider in order to use it for authentication either. You can even imagine doing this via a mobile phone too (either through cameraphone image, QR code (discussed here and here), IVR, OCR, or even a “sound” produced by the website that you could hold your phone up to).

Any suggestions about holes or problems with this scheme that I may be missing? Or ideas for improvements?

If anyone would like to implement the first working demo of this scheme it would be a great contribution to the public good.  I’d love to credit you with it here. Happy to share any demo code for it too if you wish.

…please contact me via twitter @crasheral if you would like to help kickstart this.