All in the <head>

– Ponderings & code by Drew McLellan –

– Live from The Internets since 2003 –

About

Centralised Authentication

22 March 2004

If you’ve had the misfortune to use MSN Messager, Hotmail or Microsoft’s MSDN services, you’ll be familiar with their centralised authentication system – Passport. Although I’ve signed up for a couple of Passport accounts professionally in my time at one job or another – I’ve always kept away from it on a personal basis. I’ve signed up in order to get a Messenger account, but used a throw-away email address and gave no other personal information. The simple reason is that I don’t trust Microsoft with the information, and in particular the context in which a centralised system holds that data. Not due to any general anti-Microsoft feeling, but simply because their track record isn’t good with keeping such data safe, and I also question their motives in holding it. I’m not going to rant on about it, but suffice to say I’ve made the personal choice not to make great use of that particular ‘service’.

So when I heard about Six Apart’s new centralised authentication system TypeKey I was a little skeptical. Six Apart are pitching the service as a method of battling comment spam, flooding and so on. The idea as I understand it (and to be fair, only marketing information exists so far) is that to post a comment on a TypeKey enabled blog, the user must have a TypeKey account/identity. If they already have one, the posting a comment is super-easy as the blog can fetch the user’s details automagically. Very convenient if you’re already signed up – and a pain the arse if you’re not. Still it would, in theory, cut down on spam. TypeKey will be integrated into the forthcoming version of MovableType, with APIs available shortly afterwards for developers to integrate the service with their own apps.

However, just as with Microsoft Passport, you have to question what’s happening with the data. Six Apart use carefully selected language to focus the security debate around that of keeping email addresses secure and not sending spam. This is far from being the issue – as you have to keep in mind the fact the Six Apart will potentially have the capability to track your movements around the web, with each TypeKey site you hit phoning home and logging your presence. I’m not one to get paranoid about this sort of thing from a privacy point of view, however, the data Six Apart could collect would be commercially extremely valuable and here we are handing it over for free. I don’t object to being spied on for giggles, but I object to people profiting from selling data about me without asking me first.

Of course, there are issues with a centralised service should that service become unavailable through attack, mismanagement or just bad luck. See Dean’s thoughts on this issue.

For me, I’d like to ask Six Apart the following

  1. If you’re going to collect and use data for any other purposes than system maintenance, be explicit in stating that use and its purpose. Let the user opt-in with full knowledge of the implications.
  2. If you’re not going to use the data for purposes other than system maintenance, please roughly outline how this service is maintained financially, and how it can be sustained. (will it be around in 12 months?)
  3. If you’re not going to use the data for purposes other than system maintenance, please outline the technical factors which are limiting you doing this.

A system like this could be excellent, but could also be a complete disaster. To be centralised, the system will have to prove itself to be trustworthy both technically and ethically. I worry that Six Apart are being a little presumptuous in respect of that trust.

- Drew McLellan

Comments

Tags

Comments

  1. § Drew: Related, Mark Pilgrim takes the opinion that any concern is hysteria.
  2. § Jesse: hmm I share Mark’s feelings ;)
  3. § Drew: You share Mark’s feelings that it’s not right to question the motives of such a service?

    One of Mark’s points is that Six Apart are a company trying to make a buck, and that this is their right. Of course it is – but if it’s a free service that costs them real money to run, where are they making that buck? If they’re not going to sell data, then they should have no problems stating that that is the case.

    And if they’re all above board, good luck to them. As I’ve stated, this could be an excellent system. (and very useful too).
  4. § Jesse: Well any profile i have ever filled out has the silliest information i can think of – including an email address of smellitand@luvit.com. Unless i need to corrispond with the site. Then i just use my generic hotmail address that catches that stuff. But i usually tell them I am 80 yr old woman or something like that. If people didn’t fill them out honestly – because you only want them to remember your name and password and preferences for the site – then the information they collect would be useless.
  5. § Jay Allen: One of Marks points is that Six Apart are a company trying to make a buck, and that this is their right. Of course it is but if its a free service that costs them real money to run, where are they making that buck?

    Oh Christ. Not everything a company does must produce a direct and measurable ROI. Obviously, TypePad and other MT 3.0 features give site owners more control over their own sites. That enhances the attraction of the platform and keeps it viable which helps SixApart in the end.

    Make sense?
  6. § Drew: Of course – you’re not stating anything new here. My point was (and maybe I didn’t communicate it well) – this service will be a considerable drain on resources – the bandwidth and server horsepower required will be immense. That’s not the sort of thing that is easily set aside for indirect ROI.

    Add to that the marketing needed to actually get people to trust Six Apart, and the possible devastating effect this could have on their business. For me, that’d be too large a gamble to take for only indirect ROI.

    See where I’m coming from?

    This isn’t to say that I’m against the scheme – just questioning it. Due diligence.
  7. § Sunny: Mr Allen – Agreed that TypeKey enhances the platform provided by SixApart and their intentions with TypeKey may be entirely positive but that doesn’t mean Drew’s misgivings are not valid.

    Drew wants SixApart to clear some murky areas, shed some light on it. The privacy concerns that Drew raises should be cleared by any company that handles user data be it the well intentioned SixApart or the Microsofts.
  8. § Adrian Simmons: You might want to take a look at Drupal and its Distrubuted Authentication system.

    No central key-holder but you still get to log into many different sites using just one user/password combo.
  9. § Mark: I was unaware I had a point, really. Can’t we all just calm the fuck down? It’s only a press release.
  10. § Drew: Hey, we’re calm :)
  11. § Mike Jones: Personally I can’t get over the fact that to do this right they are going to have to spend thousands of dollars to get this up and running and yet more to keep it running. We’re talking serious distributed application devlopment, serious hardware, 24/7 support, etc.

    Sometimes I can’t get to sleep when I’ve got a new server and I’m not sure I remembered to set the logrotate params correct or something stupid… I can’t imagine why someone would want to be responsible for such a system. Its not like Passport where the people responsible are hidden by the corp… This is a tiny corp.
  12. § Shelley: Mark:

    “Cant we all just calm the fuck down? Its only a press release.”

    And Atom is only an alpha release.
  13. § Jesse Rodgers: As seen on /. – Passport is a failure

    Is there really a future for this stuff? I mean if MS can’t succeed at something – who can ;)
  14. § Dave: And Atom is only an alpha release.

    Atom is a draft that’s out there and usable. TypeKey is just an announcement at this stage. The point is that you can only criticize TypeKey so much until people can actually use it and see how it works or fails. Lots of good ideas and good products might have looked terrible on paper. What matters is implementation.

Photographs

Work With Me

edgeofmyseat.com logo

At edgeofmyseat.com we build custom content management systems, ecommerce solutions and develop web apps.

Recent Links

Affiliation

  • Web Standards Project
  • Britpack
  • 24 ways

About Drew McLellan

Photo of Drew McLellan

Drew McLellan has been hacking on the web since around 1996 following an unfortunate incident with a margarine tub. Since then he’s spread himself between both front- and back-end development projects, and now is Director and Senior Web Developer at edgeofmyseat.com in Maidenhead, UK (GEO: 51.5217, -0.7177). Prior to this, Drew was a Web Developer for Yahoo!, and before that primarily worked as a technical lead within design and branding agencies for clients such as Nissan, Goodyear Dunlop, Siemens/Bosch, Cadburys, ICI Dulux and Virgin.net. Somewhere along the way, Drew managed to get himself embroiled with Dreamweaver and was made an early Macromedia Evangelist for that product. This lead to book deals, public appearances, fame, glory, and his eventual downfall.

Picking himself up again, Drew is now a strong advocate for best practises, and stood as Group Lead for The Web Standards Project 2006-08. He has had articles published by A List Apart, Adobe, and O’Reilly Media’s XML.com, mostly due to mistaken identity. Drew is a proponent of the lower-case semantic web, and is currently expending energies in the direction of the microformats movement, with particular interests in making parsers an off-the-shelf commodity and developing simple UI conventions. He writes here at all in the head and, with a little help from his friends, at 24 ways.

Recommended