After considering my previous post, I have concluded user defined authentication, in most situations offers some benefits over traditional silo based systems.

Obviously, the user does not have to conform to your ideas of identity, nor remember another pair of authentication nuggets.

When implemented correctly, securing the identity of the chosen authentication mechanism and the destination for authentication queries, it should provide better security against external attacks.

Attackers might discover how to attack the login process, but with the true authentication method differing from user to user, traditional patterns of attack would not hold up across the user base.

If an attack did succeed for one user, it would not necessarily compromise the entire system.

Another possible benefit, in the case of an attack, is potentially more eyes monitoring activity.

To be clear, I am only considering this for web applications. Companies like Apple use a single authentication process across web and desktop applications. Such as .Mac, Store, iTunes, Mail.app and iDisk in Mac OS X.

What if users designated “their” IMAP server as the authentication mechanism for Apple services?

Would Apple and more importantly users be happy with the shared control?

Would Apple be more secure not having to store the shared secret of the authentication nuggets?

How would customers feel, with less burden to remember authentication nuggets, more control over the system that is used to authenticate their identity?

Much more to consider…

Btw, I am already using a system like this in production. So far it works rather well.