Yahoo veers off road heading to access control innovation

Service provider says it's reverting to Yahoo-only access controls, won't accept Facebook, Google credentials any longer
Written by John Fontana, Contributor

While access control technology steams toward innovation promising end-user convenience and better security, Yahoo indicated Wednesday it is going in the opposite direction.

The company, which currently accepts Facebook and Google credentials from users who want to sign into Yahoo services, said it was phasing out that type of credential sharing known as federation - where credentials issued by one identity provider are valid for access control to another service provider's network. Going forward for Yahoo, it's their credential or no access.

What might Yahoo be thinking?

Current innovation in identity infrastructure includes trusted identity providers, web sites that rely on those trusted identities, and end-user convenience. And it includes new modern access control designs that service providers, mobile operators, governments and companies are lining up behind in droves.

In the process, end-users will see their laundry list of passwords go away and service providers get out of the cost and liability of creating, storing and protecting user accounts.

But clearly, Yahoo has found something better to like than that equation.

But what's not to like? A few years ago, LinkedIn spent nearly $4 million cleaning up the theft of 6.5 million passwords. And 6.5 million people went away licking their digital wounds.

Federation can help pull everyone off the tracks before that kind of train wreck.

"Yahoo is continually working on improving the user experience," the company said in a statement Wednesday to Reuters, noting that the new process "will allow us to offer the best personalized experience to everyone."

But you don't win over users with sign-in technology; you win them with must-have apps, a secure web site, and terrific customer service. Maybe those are areas where Yahoo should improve while leaving access control technology alone.

And an end-user's credential identifies who they are so personalization should not take a dramatic hit. And neither should  end-user privacy.

Yahoo's move is curious because innovation around the authentication and authorization space focuses on a more cooperative ecosystem.

The trend was highlighted by last week's release of OpenID Connect that touched off a series of announcements on easing access controls - not only for end-users but for administrators setting up ID systems - with federation at its core.

And the trend is reinforced by efforts spinning up at the FIDO Alliance, which is working on authentication schemes as a way to unlock federation's potential. Members include PayPal, Lenovo, Google, Microsoft, Discover, MasterCard and a laundry list of other companies.

The GSMA, an association of mobile operators, last week introduced at its Mobile World Congress a program called Mobile Connect, a new federated credential system supported across providers. The program's foundation is OpenID Connect.

At the same conference, PayPal and Samsung introduced a partnership that incorporates FIDO-based authentication into the Galaxy S5 smartphone that lets users login and shop with the swipe of a finger in online, mobile and in-store payments wherever PayPal is accepted.

In Germany, Deutsche Telekom detailed how it is using the OpenID Connect protocol to provide SSO to its users, federating their credentials across its stable of providers.

In the U.K., the government said it would roll out as part of its Identity Assurance program a number of Connect-based pilots to provide citizens with identities for interacting with government services.

In the U.S., the similar National Strategies for Trusted Identities in Cyberspace (NSTIC) program, is focused on creating an "identity ecosystem" with federation at its core and OpenID Connect as one of the marquee protocols along with OAuth 2.0, which focuses on authorization.

What makes Yahoo's move even more curious is the fact that the company has a representative on the board of the OpenID Foundation, which developed OpenID Connect and finalized it last week.

Perhaps the company is sticking its toe in the water on plans to become a large hub identity provider (IdP) on the Internet.

That has the potential to be a lucrative business. Covisint, which acts as such a hub and which went public late last year, is now valued at $410 million. Of course, that is but a fraction of Yahoo's $39.8 billion valuation.

Or perhaps Yahoo is pulling in the federation reins because it sees gains for its own data analysis and channel strategies.

Whatever the plan may be, time will tell if Yahoo left the right road or not.

Editorial standards