Mike Jones, author of the OAuth 2.0 bearer token specification and significant contributor to the OAuth 2.0 specification itself, has announced on his blog that OAuth 2.0 has won the 2013 European Identity Award for Best Innovation/New Standard.
This is great news for everyone involved in writing the specification and who are implementing OAuth 2.0 solutions.
Tim Bray, a developer at Google who I disagreed with in a previous post has just posted on his blog that the team he is currently working in is going to shortly be announcing some of their early work and thinkings soon.
He says problems they’ve identified and they want to try and solve include:
- The username/password dance sucks and doesn’t scale, particularly on mobile.
- People putting up apps and sites regard identity — getting people signed up & signed in — purely as a tax; something they gotta do, but unrelated to what they care about.
- Most developers don’t understand identity standards like OAuth, or the related crypto and signing technologies, don’t want to learn them, and shouldn’t have to.
- If you can get new arrivals signed up quicker with less work, that’s a good thing.
- If you can get people you know signed in quicker, ideally with one click, that’s a good thing.
- People are paranoid and really don’t want to be in the headlines for next week’s embarrassing password leak.
- People don’t want to think about privacy and tracking and transparency, but the risk of not doing so (just) exceeds the pain.
- People like the notion of outsourcing the icky identity work, but are nervous about putting all their eggs in the Facebook’s or Google’s or Yahoo’s or whoever’s basket.
- On the other hand, having a cluster of Sign in with… buttons on your landing page dilutes your brand and feels like watching NASCAR on TV.
I’m looking forward to seeing what they come up with.