Quit peeing in identity pool, Google dev advocate says

Application developers that require end-users to create yet another password are hurting the safety and security of the internet, Google developer evangelist Tim Bray said at last week's Glue conference.

"If you go into the password business, you are peeing in the swimming pool," he told a crowd of roughly 300 developers outside Boulder, Colo. "The right answer is not to do this."

Bray, who was one of the lead contributing authors of the XML specification and former director of Web technologies at Sun, now spends his time focusing on identity issues for Google.

Near the beginning of his talk, Bray dropped to his knees, pounded the floor with his fists and sent out a plea to web sites asking that they not force him into creating another password.

He implored developers to get on board with emerging identity protocols, namely OAuth 2 and OpenID Connect.

"The developer experience is a good one," he said. "We are starting to turn a corner here. There is good security, good user experience, and good developer experience."

Bray called OAuth tokens "power tools" for developers looking to secure and integrate their applications.

He said services that provide digital identities, so-called Identity Providers (IdPs), need to be concentrated within a relatively small group that might include universities and governments.

Web sites, instead of taking on the liability and work of assigning IDs, providing 24/7 support and even two-factor authentication options, should rely on these IdPs for use identites and authentication.

"[Providing IDs] is a complex job and will fail with devastating consequences," said Bray. "You don't want to be the one featured in [media] headlines."

He said OAuth 2 and OpenID Connect are emerging alternatives that are being bet on big by Google and others.

OAuth 2 was ratified by the Internet Engineer Task Force in late 2012 and has been adopted by a number of Web-based services including Box, Google, Facebook, LinkedIn, Twitter and Klout. It is also supported in a host of enterprise identity software and platforms.

OpenID Connect, a simple JSON/REST-based protocol, is not yet finalized, but is a de-facto authentication standard designed to help decentralize identity and support scale to Internet proportions.

With the two protocols as a foundation, Bray said users in the future will get one-click sign-ins, no passwords and two-click sign-up.

OpenID Connect is a simple identity layer built on top of OAuth, which is more a framework than a traditional protocol.

From a very high level, OAuth is about granting access, while OpenID is about authentication. The two are designed to work separately, but when paired strengthen security around access and data.

With the two protocols as a foundation, Bray said users in the future will get one-click sign-ins, no passwords and two-click sign-up. He backed up the statement by demonstrating some features Google has implemented, including Account Chooser, which was built by Google but is now owned and administered by the OpenID Foundation.

He also showed a quick-start demo based on Ruby that integrated OAuth 2 and OpenID Connect. The demo allowed the user to get an OAuth token using the Google+ Sign-In button and then exchange it for another OAuth token that allows the holder to make Google+ API requests. The demo also had sign-out and revocation features.

"We now have the technology to do these things and it is time for developers to look at how to do them," Bray said. "You are sufficiently equipped with libraries and stuff to understand this."

Bray made reference to emerging JSON-based protocols that begin to fill in the identity story for developers and pointed to a presentation given earlier in the conference.

He said OAuth 2 and OpenID will become accepted in the industry.

"The Internet is heading for a brick wall," said Bray. "There are too many people. Everyday people are abusing passwords and leaving doors open for the bad guys. I am not pretending this [transition] will be trivial; it will take some work - the translation from today to one-click sign-ins - but you need to start working on it today."