Yahoo not veering off authentication path, just negotiating detours

Yahoo building toward standards-based single sign-on environment that will reach across its services, Internet

Turns out Yahoo didn't veer off the road toward new and innovative authentication methods, but instead is negotiating some industry and technical roadblocks.

The company, according to sources, plans to convert its online services to support the OpenID Connect authentication protocol , which it is helping to develop, and use that as one anchor to build a consistent single sign-on environment across its internet properties. The ideas align with current global trends in building federated identity infrastructures.

Like others making similar conversions, namely Google, such a changeover could take a few years.

Sources say Yahoo's announcement Wednesday - that it would no longer accept Google or Facebook credentials as a valid log-in for a few of its services - came off as negative but is actually part of an overall federation plan that includes OpenID Connect and OAuth 2.0.

While Yahoo has not announced its grand plan, Google has and the two companies appear to have many synergies that are both protocol and professional.

The two marshals behind Yahoo's strategy are ex-Googlers in CEO Marissa Mayer and Dylan Casey, Yahoo's ‎senior director of product management for consumer platforms. Casey is one of eight corporate board members at the OpenID Foundation.

Last week, Google publicly stated it would abandon the use of OpenID 2.0, which Yahoo also now uses, and convert to OpenID Connect. Yahoo has the same plan, the sources said.

Google already is both an identity provider or IdP (issuing credentials) and a relying party (accepting credentials issued by other identity providers - re: Facebook or Yahoo).

Yahoo is heading for a similar strategy to strengthen its position as both an identity provider and a relying party, according to sources. The identity provider piece, however, is one Yahoo needs to improve on, and it is making moves there.

Late last year, a Gigya study showed Yahoo with a smaller role in the social identity IdP market than both Google or Facebook. Yahoo also is playing with smaller resources, especially on the financial side.

Google has built a centralized internal identity platform that currently accepts SAML tokens from Google Apps customers, OpenID 2.0 from some IdPs like Yahoo, as wel as using propritary connectors for others like Microsoft.

Google provides authentication to both internal applications and external applications such as web sites and mobile applications via OpenID Connect. Google uses its popular Gmail as one of a number of sign-in gateways to its identity platform, a sort of authentication on-board ramp for end-users.

What Yahoo will do has not been announced, but in addition to pointing its resources and strategy in a similar direction as Google, Yahoo is investing in the creation and adoption of OpenID Connect, which means the ultimate demise of OpenID 2.0 within its services. 

Other synergies may appear around execution, and developer trends in the industry.

Google is getting deep in its transition and has been encouraging Web sites and developers to "get out of the password business" and let Google and other IdPs - like Yahoo - create, store and maintain user identities that other Web sites would rely on for authenticating end-users.

The intent here is to isolate identity services around just a few providers and improve security around credentials. Clearly, Google and Yahoo along with others want in that mix.

Former Google developer evangelist Tim Bray last year chastised developers saying, "If you go into the password business, you are peeing in the swimming pool." He told them to get on board with emerging identity protocols, namely OAuth 2.0 and OpenID Connect.

Developers implementing identity features in their apps, Bray said, cause problems for Google and other identity service providers when those developers deviate from protocol specifications or implement them incorrectly. 

"[Providing IDs] is a complex job and will fail with devastating consequences," Bray said at the time. Bray singled out OAuth 2.0 and OpenID Connect as being big bets for Google and others.