The Future of Auth? Commoditized

by Jonathan Wellons

If you're still writing your own authentication for your websites, you may want to get with this program. Have a look at the bottom right of this page:
Yep, almost everybody has one of those accounts these days, and more and more of those users are getting tired of endlessly multiplying username/password combinations.

I realize that Microsoft tried to do some Passport service in the past, but you can base your website's auth on any site or combination of sites, even if they don't have an API. As Tony Stubblebine has put it: "A login form is an API."


2007-06-07 21:39:18
Really? Who trusts some wannabe fly-by-night Web 2.0 with your Facebook/Hotmail/Gmail password? Wow! They even promise never to save your password. That really changed my mind.

For a SSO system to work, there has to be an independent login page, that passes a token to the specific site, as the various Web 2.0 wannabes can't trusted to keep their servers running, let along keeping your password safe.

2007-06-07 23:37:18
Dear Tom,

That's debatable. Most folks have a real gmail account and a throwaway account. For these purposes, you don't ever even need to log into it. If the site did snag your throwaway account password, what would they do with it? They wouldn't be able to figure out what other sites you had accounts on since you could have activation emails, etc. sent to your real account.

That said, an SSO system like you mention does exist, for Google at least.


2007-06-08 10:30:00
So everyone has a throw away Gmail account? I don't. I don't remember reading anywhere, that everyone should create one.

These sites are ripe for abuse. XSS hacks, or just the latest PHP exploit. Steal a bunch of passwords. Then use Google to search for other Web 2.0ish sites that also use piggback auth, and hack the accounts there too.

Don't worry, none of these sites are really important, or involve money or anything. Or wait, they do. is a money management site!

Piggback auth will end in tears for everyone.

2007-06-08 11:01:31
I agree with Tom. OpenID/Cardspace with a token authentication is a much better SSO system.

Even if you have a "throwaway" Gmail account, what happens when you use this throwaway account on 20 different sites using the Google API Auth? If one of these 20 sites abuses your trust, or has poor code that allows XSS attacks, etc. etc., its an open invite to not only your GMail but also makes access to the other 19 sites vulnerable.

Any SSO is dependent on the web community (sites & users) accepting the technology (hence the demise of Passport). It will be a shame if this third-party API style auth gains more traction than a token based system. Token systems like openID/Cardspace gives the user much more control.

Jonathan Wellons
2007-06-08 11:51:17
Tom and Mike,

You've given me something to think about (and reply to soon). If you have more thoughts, please continue to post them.

~ Jonathan

Jonathan Wellons
2007-06-11 15:18:35
Dear Tom and Mike,

Mike, I think the discussion got sidetracked a little, and we agree more than we think. Google has a token-based Auth, and I enthusiastically encourage people to use it for the reasons mentioned.

Otherwise, sorry guys, but I can't see how this system is any way worse than having dozens of separate usernames and passwords. In fact, it's far better: when you go through your regularly scheduled password updates, you only need to change them in one place, and in fact it's more secure since you won't have old, compromised account passwords still in use.

Also, I didn't say you needed to get a throwaway Gmail account. Nevertheless, I think you'll find that having a non-real-mail version of any of those accounts would be a safe and easy way to suddenly have access to hundreds of sites.