Federation Conversation / Blood Bath

From IIW

Session Topic: Federation Conversation Tuesday 3A/D

Convener: Tim Bray, Google

Notes-taker(s): Vicki Milton

There are developers that don’t care about the underlying technologies

Tim created a blog that asked “why federate?” – get out of the password business

Got ugly really fast – flamed everywhere

Still believes that federation login is a generally good idea

But was very educated through the pushback he received and it should be taken seriously

Federated login = sign in with Twitter or Facebook


1. Users don’t understand what is happening

  • Confusion as to what is happening in SSO operation
  • Trust plays a role
  • Users are worried about information flows from IDP to RP

2. I don’t like being tracked

  • Leaves trails

3. I don’t like you

  • Consumers don’t like the companies asking for the data or sharing data

4. I don’t like spooks

  • Can be accessed by the government/intelligence professionals
  • Metadata creates patterns
  • Companies are beholden to government requirements

5. I like Mozilla persona

  • just use that

6. I like password managers

  • What’s the problem

7. I forget which provider I’m supposed to use

  • Not sure which IDP I used last time I was there

8.You’re a single point of vulnerability

9.You’re a single point of blockage

  • Too much power to Facebook

10. I’m a user not an operator

  • Understands why a developer would want to get out of the password business but the user can’t see the value to them.

There are objections to Google and there are general objections. Which ones did you see? Tracking discussion included concepts:

  • Reacting to brand
  • Every IDP is up against the same thing
  • Some IDPs may be seeking to be on the login page
  • Google and FB are the primary IDPs
  • Federation happens in the enterprise space as well, but that is not the direction for this discussion
  • IDPs are just identities that users use to represent their persona online. So inherently they see the repeated use of a particular identity as a way to triangulate their behavior. \


NASCAR page was a really bad thing – looks like crap

What about oversight by government?

  • Small sites might not be as likely to push back on government data requests
  • Single provider allows them to better see where the user went as opposed to many sites.

Federation blocks the movement to a claims based world??

  • Oauth was designed to enabled AuthZ without disclosing identity

Google didn’t get into business as an identity provider, but as an application provider. But the aggregation of identities and the data platform created a basis of mistrust.

Low friction way to facilitate data provider through a user paid revenue model would be very interesting.

Need to build applications that assume the user has more than one identity. Industry isn’t about driving to one identity.

Users don’t understand that they are making a trade for information for authN. Need informed consent.

  • Microsoft does a pretty good job of providing info on what’s going on

Be interesting to separate the AuthN from the tracking.

  • Check out the Mozilla Persona protocol.
  • Allows the user to log into an RP through an IDP without letting the IDP know what you’re doing.
  • Google does track what you’re logging into, but they don’t generally look at the data before it’s purged

The thing that’s missing is the voice of the user

  • What’s going on is that corps are collecting data on what the users are doing
  • There are ways to do federation and only releasing attributes instead of identity.
  • Not clear that the user would understand it anyway
  • Tim’s blog is for developers and doesn’t represent the voice of the user and their concerns
  • Why aren’t there people out there reviewing IDPs? Walt Mossberg doesn’t report on this.
  • RPs make the choice, not the user
  • There’s no way for a person to actually know what’s going on, no history, no reputation
    • Google has a single privacy policy, but there is no way to test that anyone’s doing the right thing because it’s all new

MFA will not scale to multiple sites without federated identity. With a single second factor on a federated identity, we can improve the quality

  • Google says should enter passwords on any site without 100 staff to deal with identity security.
  • Don’t want to carry around a token for everyone
  • Google authenticator app is in substantial use across platforms and it doesn’t use federation

Is there demand for an identity prosumer market.

Email account is a single point of failure, and big IDPs as users to enter a backup account to address account compromise.

There is a large world of users that have identities with IDPs that enable self assertion and they don’t necessarily track nor do they have this problem

I don’t like tracking. There are some people that are more concerning:

  • Bad guys
  • Government
  • Other government
  • People tracking to monetize
  • Some identities are “followed” by people and so users are concerned about linkages sending messages to the primary.
  • Users make an explicit decision about who they want to be perceived when they sign in.
  • Forgetting who they logged on is a big problem
  • Users biggest issue is not in identity representation, it’s in having to authenticate.
  • RPs needed an IDP and often choose one based on data exchange and what is offered. But that is what concerns the user is that RP value exchange.

Context matters. Work/personal. Login is about establishing your context

  • Women have been known to have more personas than men (6-10) compared to men (2-4).
  • IDP fatique could lead to the consolidation of personals to 3-4 IDPs which represents a more complete persona of the user
  • Privacy impacts due to this.