Hans gets more specific about Yahoo BBAuth »
« Everyone’s coming to the party
BBAuth and OpenID

Posted on Monday 9 October 2006

From commented.org, here’s a thoughtful piece by Verisign’s Hans Granqvist on Yahoo’s BBAuth:

Yahoo! released its Browser-based authentication (BBAuth) mechanism yesterday. It can be used to authenticate 3rd party webapp users to Yahoo!’s services, for example, photo sharing, email sharing.

Big deal, huh?

The kicker is this though. You can use BBAuth for simple single sign-on (SSO). Most 3rd party web app developers would love to have someone deal with the username and password issues. Not storing users’ passwords mean much less liability, much less programming, much less problem.

Now Yahoo! gives you a REST-based API to do just that.

It will be interesting to see how this plays out against OpenID.They are both very similar. Granted there is some skew: OpenID is completely open, both for consumers and providers of identity.

However, from my own experience, OpenID consumers (a.k.a. relying parties) seem to want only one thing, perhaps two or three:

  • have someone deal with your users’ passwords,
  • retrieve name and email address for a user

And now Yahoo! does the first, and the second is available. At the same time they’re making your app reachable to 257 million+ users. Here’s an example.

Seems a pretty big reason to implement it for the web app developer, especially since it is such an easy API you can integrate it in an hour or two.

And yet someone has added a sobering comment to Hans’ blog:

It will be interesting to see how long it takes for adoption to reach the point that no one thinks twice when a yahoo login pops up on another site. They’ll be nice and ripe for password harvesting via fake yahoo login forms then. :)

Sadly, if I had written this comment I would not have included the happy face. Until the security concerns are addressed, despite Yahoo’s very laudible openness, this is not a happy face moment.

But through Yahoo-issued InfoCards BBauth would avoid the loss of context that will otherwise lead to password harvesting.  It’s a good concrete example of how the various things we’re all working on are synergistic if we combine them.

 


6 Comments for 'BBAuth and OpenID'

  1.  
    Marc’s Voice » Blog Archive » Links for a Tuesday"> Marc’s Voice » Blog Archive » Links for a Tuesday
    October 10, 2006 | 11:21 am
     

    [...] Kim Cameron explains some things regarding BB Auth and OpenID. Kim takes security VERY seriously! [...]

  2.  
    Blog by Kveton » BBauth and OpenID Discussions"> Blog by Kveton » BBauth and OpenID Discussions
    October 10, 2006 | 6:30 pm
     

    [...] Lots and lots and lots and lots of discussion going on regarding BBauth and OpenID. [...]

  3.  
    Kim Cameron’s Identity Weblog » BBAuth and OpenID move identity forward"> Kim Cameron’s Identity Weblog » BBAuth and OpenID move identity forward
    October 10, 2006 | 8:37 pm
     

    [...] Scott says: Lots and lots and lots and lots of discussion going on regarding BBauth and OpenID&nbsp Kim Cameron had an interesting post today concerning the interface issues with BBauth as well as OpenID: My concerns really originate with the user interface issues. And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will). [...]

  4.  
    links for 2006-11-06 « Caiwangqin’s delicious bog"> links for 2006-11-06 « Caiwangqin’s delicious bog
    November 6, 2006 | 3:18 pm
     

    [...] Kim Cameron’s Identity Weblog » BBAuth and OpenID both very similar. (tags: BBAuth OpenID) [...]

  5.  
    Marc’s Voice » Blog Archive » AIM Auth"> Marc’s Voice » Blog Archive » AIM Auth
    November 30, 2006 | 2:26 am
     

    [...] Lots of folks are focused on this stuff - and this is a great opportunity for AOL to join the party! [...]

  6.  
    Popular WebLogs » Blog Archive » BBAuth and OpenID"> Popular WebLogs » Blog Archive » BBAuth and OpenID
    May 30, 2007 | 5:40 am
     

    [...] Original post by Kim Cameron [...]

Leave a comment