Distributed Authentication (the drupal.module) on will be turned off November 1st, 2010

October 12th, 2010

Note: If you never used an “” login to a site then you can gleefully ignore this post. It was a feature launched long ago and not widely used.

Hey Everybody,

It’s been a long time coming, but we are now approaching the point where the old “distributed authentication” mechanism will be turned off on

For a while, the distributed authentication method was a great idea. Sites like used the distributed authentication and it helped spread awareness of Drupal. It was an early idea for identity and federated websites and distributed social and all those fancy buzzwords.

But while the concept might have been visionary the implementation was not. It is not a super secure architecture, as perhaps the biggest complaint.

So, we will turn it off on on November 1st, 2010.

Goodbye legacy, hello new hotness

If your site allows logins like “” then you should know that it will be turned off soon. Users will still be able to login with that account and the password they last used. But there could be some scenarios where they get locked out. Even worse, if they never updated their account then their mail will not be stored in your database so they cannot use the “self-service” password retrieval system.

If you want to use something similar, consider using OpenID module that’s in Drupal core these days. It allows federated logins without all the architectural security problems.

If you relied on this service

Site owners who relied on this service should…

  1. Get people to enter their e-mail on their profiles
  2. Alert people that the connection to is going away and their passwords will no longer stay in synch.

Yay progress!