Search
Navigation
Tweets
Blogroll
Powered by Squarespace
« Free money | Main | Humane executions »
Saturday
Sep302006

BBAuth vs. OpenID

DateSaturday, September 30, 2006 at 10:38PM

Yahoo! released its Browser-based authentication (BBAuth) mechanism yesterday. It can be used to authenticate 3rd party webapp users to Yahoo!’s services, for example, photo sharing, email sharing.

Big deal, huh?

The kicker is this though. You can use BBAuth for simple single sign-on (SSO). Most 3rd party web app developers would love to have someone deal with the username and password issues. Not storing users’ passwords mean much less liability, much less programming, much less problem.

Now Yahoo! gives you a REST-based API to do just that.

It will be interesting to see how this plays out against OpenID.They are both very similar. Granted there is some skew: OpenID is completely open, both for consumers and providers of identity.

However, from my own experience, OpenID consumers (a.k.a. relying parties) seem to want only one thing, perhaps two or three:

  • have someone deal with your users’ passwords,
  • retrieve name and email address for a user

And now Yahoo! does the first, and the second is available. At the same time they’re making your app reachable to 257 million+ users. Here’s an example.

Seems a pretty big reason to implement it for the web app developer, especially since it is such an easy API you can integrate it in an hour or two.

AuthorHans | Comment3 Comments |

Reader Comments (3)

It will be interesting to see how long it takes for adoption to reach the point that no one thinks twice when a yahoo login pops up on another site. They'll be nice and ripe for password harvesting via fake yahoo login forms then. :)
October 2, 2006 | Unregistered CommenterChristopher A. Petro
Indeed. They're trying to prevent that by letting you upload any 'sitekey' like pic that is displayed at the login screen.

But phishing is a menace, for sure.
October 2, 2006 | Registered CommenterHans
The fake logins are one problem, but if anybody can incorporate this function into their site, how will you know who you are sharing with and how trustworthy they are? The login page states:

"After you sign in we'll ask you to give us permission to share your personal data with the developer of this service".

Yahoo requires application registration with a Yahoo ID and verifies that you can access the web server for the root of the domain. There doesn't seem to be any further verification of trustworthyness. How quickly can you register a domain and does the registry verify the registrant is real?

They might not get your password but they can get other details that you have specified must be shared. Note that the Yahoo login page does not give any indication of the site requesting the details (I didn't login so I can't say what follows).

All going in the right direction, but we still need a trust model to build confidence with users.
October 12, 2006 | Unregistered CommenterMark

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.