June 30, 2006
@ 04:28 AM

It seems the Web API authentication discussion has been sparked up all over the Web by the various announcements of Windows Live ID and the Google Account Authentication for Web apps . In his blog post Google's authentication vs. Microsoft's Live ID Eric Norlin writes

Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of "Identity 2.0" fame) to call it the, "deepening of the identity silo." I'd like to contrast Google's work with Microsoft's recent work around Live ID.

Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a "metasystem" which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.

Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.

Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask - why?

Perhaps it's because there are now so many old-school Microsoft people at Google? ;)

On a more serious note, I suspect that the Google folks simply didn't think about the federation angle when designing the authentication model for their APIs as opposed to this being some 'evil plot' by Google to create an identity silo.


Friday, June 30, 2006 10:26:20 AM (GMT Daylight Time, UTC+01:00)
Google's lock-in put me straight off their new shopping cart product. I wouldn't want my customers have to create a new Google identity to shop at my site.
Friday, June 30, 2006 6:06:02 PM (GMT Daylight Time, UTC+01:00)
Either Google didn't study the history of the space (which I find hard to believe) or they believe the Google brand is so strong that they can get away with what everyone basically said 'f that' to Microsoft about. It'll be interesting to see how it pans out...
Saturday, July 1, 2006 5:56:23 AM (GMT Daylight Time, UTC+01:00)
Based on my reading of the google info, the goal si to allow sites to impersonate the suer without the site getting the user's password.

THis seems different than the passport goal of sharing identities across sites.
borton manila
Saturday, July 1, 2006 5:59:41 AM (GMT Daylight Time, UTC+01:00)
"Google's lock-in put me straight off their new shopping cart product. I wouldn't want my customers have to create a new Google identity to shop at my site."

Think about it from the buyer's perspective.

Will a buyer trust google with your credit card number more than your random site that the user stumbled across while browsing?
borton manila
Friday, July 7, 2006 3:52:42 PM (GMT Daylight Time, UTC+01:00)
Borton, it's not about trust, it's about convenience. Not only do they have to register with my site, they have to register with another one to finish the transaction.

Of course, if as many people have Google identities as have PayPal identities then my argument pretty much goes away.
Comments are closed.