In almost every IT project I’ve worked on, we wrote an authentication system for the application we were building. User passwords were stored in the application database (encrypted or not). I don’t think that’s good for the users. We should be asking people to remember fewer passwords, not more.
(the exception to to this is .NET, where you get Active Directory almost everywhere)
I can see why:
- A lot of IT professionals couldn’t tell you the difference between authorization and authentication.
- Integrating your shiny new project with an existing authentication system makes it harder to test.
- Usability can unfortunately take a back seat to delivery
There upsides to using a directory service instead of writing your own: You don’t get to make elementary security mistakes in storing user passwords, and you end up writing less dull code.
Directory systems can be seen as squarely on an admin’s patch. That’s the main reason why. I truly believe that we deliver better systems when admins and developers collaborate.
Update: hopefully the rise of OpenID, Google Friend Connect and Facebook connect will make us think differently. As Bryan points out below, we should be able to plug and play many authentication systems into our apps. Thanks to Dan for the editing.
image courtesy of ladydragonflycc