Shared publicly  - 
 
I'd like to talk about Google and "Authentication as a service" for a minute. Google devs, please do give it a read, there's some feature requests in there!

Authentication as a service is when a service provides third-party authentication for other services to use (through oauth/openid). "Login with your Google account" basically. 

Now, this doesn't officially exist, as a proper service one would use or buy. I don't believe there is any guarantee that a login is going to work from one day to the next from anyone providing this (although openid services were a thing a few years back, verisign even got into the game back then)

Why I believe Google already is in the business

- They have complete spec-compliant support for oauth1, oauth2 and openid
- They have an immense userbase
- They are used on a lot of websites providing third-party auth (any website that supports openid + several websites that support oauth)
- They have several incredible security features (a very advanced two-step auth, app-specific passwords, a solid social auth dashboard, account security details in gmail)
- They have a very advanced account recovery feature

What Google should do next

- Work with the openid guys to improve the spec (openid should be used for authentication, but oauth is often used instead for various technical reasons).
- Add an option for facebook/steam-like "new device" email warnings ("Someone from a new device just logged in to your account", with a security password)
- Have a global page with open sessions (like gmail) as well as failed password attempts, changes to security details, ...
- Provide private key passwordless authentication. Come on guys, you have a browser and a bunch of specs at the tip of your fingers, make it happen.


Why third party authentication matters

Hacking tools are getting stronger and stronger, websites asking for passwords are getting more and more common, yet security practices throughout most of those websites are not. Most users use common passwords for several sites, making them all the more vulnerable.

Authentication being offloaded to people who can do their job well, and whom you can trust (eg. maybe you dont trust facebook and trust google, or trust facebook but not google - it's about the user having choices) is a lot safer than trusting a random website with the storage of your password. It should be the obvious norm.
1
Add a comment...