XAuth: First Take

XAuth has had me fascinated since it was announced yesterday.  If you haven’t heard of it yet, I think Dare Obasanjo’s summary is one of the better descriptions, although his site seems to be having issues this morning.

What is XAuth?  It appears to be one service, running on one domain, that will maintain the login state of every user at (ideally) every consumer Identity Provider in the world, in real time.  A service users have to opt out of.  The goal is discovery of authenticated providers.

There are interesting nuances here. As far as I can tell, for the large providers who are already a fixture on the standard NASCAR page, adopting Xauth means that their logo can only be shown on fewer pages than they are today. This means that Google, Microsoft Live and Yahoo! are essentially volunteering to delist themselves from NASCAR pages when the user is not registered or not logged in.  Meanwhile Facebook and Twitter, who are not at this time involved in XAuth, will be there on every single NASCAR page, holding their spot, nice and predictable, day in and day out.  If you travel to Zoho, for example, and you are logged out of both Facebook and GMail, you will only see Facebook’s logo.   And since xauth.org is by design a single point of failure, any service disruption that threatens revenue for the relying party is likely to result in an abrupt re-adoption of a static NASCAR page.  So – what is it that these providers gain from such a dance?

They get to remove the user from the equation.  Relying Parties and Identity Providers get to finally discover each other all by themselves, they can talk right over everybody’s heads without prompting users.  In one sense, I completely get this!  Business runs so much smoother when the decisions get made en masse.  Asking the user is time-consuming, difficult, and frequently unappreciated.  And eventually you just have to solve the problem and get stuff done.

XAuth, if it succeeds, will be the antithesis of user-centric identity.   It is what happens when companies with businesses to run finally realize that asking users is a thankless, hopeless task that can only get in the way. We all know it is easier to ask forgiveness than permission – for better or worse, XAuth is that principle, taken to its logical conclusion.

5 Responses to “XAuth: First Take”

  1. Fascinating indeed. A visit to the XAuth.org site tells me that it is enabled in my browser… which suggests a complete lack of user transparency on their part.

    Just on that basis, I’m inclined to turn it off…

  2. Oh, but wait…! The “Disable XAuth” button appears not to do anything. Isn’t that cute?

  3. [...] says XAuth will eventually be released under an open source license, there are currently several unanswered questions about its design and its privacy implications that may hold it [...]

  4. Pamela says:

    Nat wasn’t able to comment (my apologies) – so he posted on his own blog: http://www.sakimura.org/en/modules/wordpress/re-xauth-first-take.

    Here is the text of his comment (and I appreciate the points!) :

    “Since the site did not accept the comment…

    This is a reply to: http://eternallyoptimistic.com/2010/04/20/xauth-first-take/

    XAuth seems to be nothing but a shared cookie, so it may not be a single point of failure. The RPs do not seem to communicate with the xauth.org so it should not be a critical problem even if the server was failing. At the very worst, the RP has to show all the NASCAR icons. That is all.

    At the same time, it would have an interesting (not fun) security implications on a shared computer, but I have not done the analysis yet.

    And right, I feel that it is taking user out of the cycle as well. It would have been much better if it just points to the location of the user’s XRD/s that lists all the services that a user can edit, but that may be way too esoteric. I agree that it is not user centric. It is service centric in philosophy, but that may be what the user is asking as a priority: “ease of use”. “

  5. [...] Pamela is wise. [...]