Quit peeing in identity pool, Google dev advocate says

Quit peeing in identity pool, Google dev advocate says

Summary: Noted developer Tim Bray says the Internet is headed for a brick wall and implores his peers to get on board with emerging identity protocols for securing applications, APIs.

SHARE:
tim_bray
Tim Bray called OAuth tokens "power tools" for developers looking to secure and integrate their applications.

Application developers that require end-users to create yet another password are hurting the safety and security of the internet, Google developer evangelist Tim Bray said at last week's Glue conference.

"If you go into the password business, you are peeing in the swimming pool," he told a crowd of roughly 300 developers outside Boulder, Colo. "The right answer is not to do this."

Bray, who was one of the lead contributing authors of the XML specification and former director of Web technologies at Sun, now spends his time focusing on identity issues for Google.

Near the beginning of his talk, Bray dropped to his knees, pounded the floor with his fists and sent out a plea to web sites asking that they not force him into creating another password.

He implored developers to get on board with emerging identity protocols, namely OAuth 2 and OpenID Connect.

"The developer experience is a good one," he said. "We are starting to turn a corner here. There is good security, good user experience, and good developer experience."

Bray called OAuth tokens "power tools" for developers looking to secure and integrate their applications.

He said services that provide digital identities, so-called Identity Providers (IdPs), need to be concentrated within a relatively small group that might include universities and governments.

Web sites, instead of taking on the liability and work of assigning IDs, providing 24/7 support and even two-factor authentication options, should rely on these IdPs for use identites and authentication.

"[Providing IDs] is a complex job and will fail with devastating consequences," said Bray. "You don't want to be the one featured in [media] headlines."

He said OAuth 2 and OpenID Connect are emerging alternatives that are being bet on big by Google and others.

OAuth 2 was ratified by the Internet Engineer Task Force in late 2012 and has been adopted by a number of Web-based services including Box, Google, Facebook, LinkedIn, Twitter and Klout. It is also supported in a host of enterprise identity software and platforms.

OpenID Connect, a simple JSON/REST-based protocol, is not yet finalized, but is a de-facto authentication standard designed to help decentralize identity and support scale to Internet proportions.

With the two protocols as a foundation, Bray said users in the future will get one-click sign-ins, no passwords and two-click sign-up.

OpenID Connect is a simple identity layer built on top of OAuth, which is more a framework than a traditional protocol.

From a very high level, OAuth is about granting access, while OpenID is about authentication. The two are designed to work separately, but when paired strengthen security around access and data.

With the two protocols as a foundation, Bray said users in the future will get one-click sign-ins, no passwords and two-click sign-up. He backed up the statement by demonstrating some features Google has implemented, including Account Chooser, which was built by Google but is now owned and administered by the OpenID Foundation.

He also showed a quick-start demo based on Ruby that integrated OAuth 2 and OpenID Connect. The demo allowed the user to get an OAuth token using the Google+ Sign-In button and then exchange it for another OAuth token that allows the holder to make Google+ API requests. The demo also had sign-out and revocation features.

"We now have the technology to do these things and it is time for developers to look at how to do them," Bray said. "You are sufficiently equipped with libraries and stuff to understand this."

Bray made reference to emerging JSON-based protocols that begin to fill in the identity story for developers and pointed to a presentation given earlier in the conference.

He said OAuth 2 and OpenID will become accepted in the industry.

"The Internet is heading for a brick wall," said Bray. "There are too many people. Everyday people are abusing passwords and leaving doors open for the bad guys. I am not pretending this [transition] will be trivial; it will take some work - the translation from today to one-click sign-ins - but you need to start working on it today."

Topics: Software Development, Networking, Security

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • How Can We Trust Google With Passwords??

    Yeah Developers, use Google+ for your Log In. Google needs your passwords. Apparently when Google was using their Street View car for hacking unsecured Wi-Fi in 38 state, the UK, Germany, and France (the countries where Google got caught) they had to promise to stop doing that.

    Now that they are no longer allowed to steal personal information from unsecured Wi-Fi, they are going to have to move on to secured networks. Stealing personal information is much easier when you give them your password.

    Google's response, we didn't do it on purpose, we were unaware this personal data was jumping into our databases from rouge Wi-Fi networks. We we just driving down the street minding our own business of collecting personal information, when this personal information came out of no where. In many countries over periods of years.

    http://www.guardian.co.uk/technology/2012/jun/13/google-engineers-unaware-street-view-data-breach
    Patrickgood1
    • Re: How Can We Trust Google With Passwords??

      No need to. Just give them a password you don't use anywhere else. Problem solved.
      ldo17
      • Except Google is Taking About Google+ Sign-In API

        meaning you have to use a real password, Google receives the password and returns the Authentication credentials back to the site you are logging in into.
        Patrickgood1
    • Passwords

      You're worried that Google will steal your password? Every document, spreadsheet, email is accessible in the clear by Google. They store your info unencrypted in their disk farms.
      rPeterJoshua
    • color me silly

      personal data from wi-fi networks colored RED ("...rouge Wi-Fi networks...")? You mean those were COMMUNIST networks?

      ouch
      ikjeft01
  • There was no stealing

    From the article you linked to:
    "Google has been cleared of breaching privacy laws with the Street View project in each of the countries that have concluded investigations into the affair"

    First, you cannot hack an unsecured WiFi network - it was not secured in the first place. Google's street view cars came by and gathered openly available information. No different than if they took pictures of cars in driveways.
    john-whorfin
    • My Bad

      I believe them now.

      Which turnip truck was it you fell off?
      Patrickgood1
    • Definition, Hack:

      Unauthorized access to a computer from a remote location to steal or damage data

      Cleared???? Did you read the Headline? Google to pay $7m to US states over Street View data collection


      did you miss the part where it said:

      it appeared likely that some private information – including visits to dating or pornographic websites, medical listings and "legal infractions" was scooped up by Google as it photographed homes across the UK.

      Cleared??
      Google published the written testimony late on Tuesday, hours after the UK information commissioner launched a fresh investigation into the data collection.

      Meanwhile in Germany
      The Hamburg commissioner for data protection and freedom of information, Johannes Caspar, announced the fine today, saying Google “illegally collected and stored personal data”,

      Meanwhile in France:
      France's data privacy regulator said Monday it had imposed a record fine of 100,000 euros ($142,000) on Google for private information collected while compiling its panoramic Street View service.
      Patrickgood1
      • yep, cleared

        Dude, I quoted the article YOU linked to....
        john-whorfin
        • Dumbass

          And that one sentence is all you got? Google was NOT cleared. They are STILL being investigated. Google has been fined in 3 countries.
          Patrickgood1
          • Sorry you don't like the link you posted...

            I got this one too: "The FCC said the collection did not breach US privacy laws"

            and this one:"The UK data watchdog said it appeared likely that some private information – including visits to dating or pornographic websites, medical listings and "legal infractions" – was scooped up by Google as it photographed homes across the UK."

            "appeared likely" = we have no actual evidence, but it makes good headlines and gives people who want to dislike Google something to scream about
            john-whorfin
    • Sweet. So you won't have a problem if

      I sit in the street with a camera and take pictures of your family through your living room window. After all, your curtains are open...
      baggins_z
  • OAuth is a complete JOKE...

    Want proof? Go ahead and write a web page with an OAuth login for Facebook, but don't use your ClientId, use a ClientId you've ripped off from another app. When the user doesn't notice the App name and clicks yes to the permissions, you'll get a nice token with privs from the other guy's app. Only open source FILTH would come up with a security standard this bad. Pathetic as always.
    jackbond
    • Are Google Developers So Brain Dead They Can't Write Their Own Simple Code?

      90% of sites that have a log in don't have anything worth securing. Their objective is to get your email address or it's their egomaniacal pea brain filled with self importance which makes them believe a user name and password is necessary.

      If I go to a restaurant site place a pick up order. Do I really need a user name and password?

      There is no way I'd use my email address or my FB account to log in.

      I have a few disposable email addresses I use when absolutely necessary. Typically if there is a verification email, I just move on.

      Not much out there worth the hassle.
      Patrickgood1
  • This is ironic

    Coming from Google, the biggest purveyor of spyware in the world. Every app and service they provide is designed, first and foremost, to spy on their users. That is their business model. That is the only way they make money.

    Give your identity to Google, willingly or not, and it will be stolen at some point.
    jorjitop
  • translation

    "Competitors, please do not compete with us. Let us be the only authentication service on Internet. Let everyone come to us and willingly hand in their auth data. We will store it and use it when we need to visit a site on those users behalf. Don't worry about hackers breaking into google servers - a bunch of non-name agencies are taking care of our security and all your personal data is in our BigData pool already."

    Go Google, go!
    danbi
  • Classic Google hipocrisy

    A Google Account has a password. Google requires the user to have login with a password for ALL of its services. Now their devs are telling us this is bad? "Do as I say, not what I do."

    Of course, what's really behind this is that Google wants us all to use their accounts, or almost anything else, instead of rival platforms. Most major websites allow users to log in with Facebook, Twitter, etc. He's promoting services closely associated with Google and their pet projects and technologies, and making it sound as usual like Google is totally neutral corporation and is just saying stuff for the benefit of all mankind.
    Tim Acheson
  • I have no idea how many orphaned accounts I have out there

    Places I've logged into and had to set up an account with password just to get a single peice of information. And then not had to go there for months and not know the password when I need to get there again. Yet when I go to create a new account, get blocked because my e-mail or address is already in there; yet contact information to update or change password is so labyrithian that I just give it up and they permanently lose a customer.
    Dr_Zinj
  • This is why Chrome is an insecure browser

    Firefox has the ability to memorize your site passwords. On disk they are fully encrypted with strong protocols. The passwords use a master passphrase, so that you cannot simply open the browser and login to a site... you must know the master password before the memorized passwords auto-fill. This means that firefox can retain hundreds of usernames and passwords for many sites. And the passwords can be long random strings that you do not need to remember and cannot be brute force attacked in the lifetime of this universe. You can transfer these passwords between any other computer or device or mobile phone running firefox and the transfer is fully encrypted so not even firefox can ever see them. This allows you to fully retain a unique set of passwords completely within your control.

    Google Chrome does not have password encryption. If you allow chrome to memorize your login passwords, it will be freely available for anyone with access to your computer to open chrome and read them... or take a picture while you are getting a coffee. Chrome has no password security, which means that all your passwords need to fit inside your head. Your head is not big enough to memorize passwords of the strength that cannot be brute force attacked. And your head cannot memorize unique passwords for hundreds of sites. The end result is that you are forced to use weak passwords and likely repeat some passwords accross multiple sites.

    Conclusion: Chrome browser is not secure

    WHY? Because the solution for this is to have only one password in your head. The password to your google account. And then use google authentication on all other sites in order to provide security based on the one secure login you have to google. The problem is that this removes all control from you to a 3rd party (google). What happens if google closes your account due to some violation of their TOS? And what happens when you trust google with the ability to log into all accounts you have access to when they are served with a mass eavesdropping/snooping request from your government?

    Result: Google is willfully reducing your security in Chrome in order to force you into handing over control of your security to their authentication systems. Do not use chrome or google authentication. Trust Firefox with your logins.
    Pea Wormsworth
    • also about chrome

      I forgot to mention. If you do use chrome to memorize login password so as not to send them to google... you cannot transfer/share these passwords between two devices running chrome. Unlike firefox, chrome only encrypts your passwords will in transit, but all your private passwords are fully unencrypted when google receives them and send them to your second device. ie: Google sees all your private passwords. Lesson: do not use chrome for any login sites... it is not a safe browser. If you trust google with all your passwords to all your sites... feel free to use the insecure Chrome browser.

      Note: the source of this information comes from someone who claimed to work for google.
      Pea Wormsworth