The Identity group where I’m working now is going to be launching some stuff soon, and I want to go out and talk to the world about it. I’m looking for input on good developer-focused meetings and conferences that I should be at to talk and, more important, listen.
Subject Matter · At the moment, here’s what I believe:
The username/password dance sucks and doesn’t scale, particularly on mobile.
People putting up apps and sites regard identity — getting people signed up & signed in — purely as a tax; something they gotta do, but unrelated to what they care about.
Most developers don’t understand identity standards like OAuth, or the related crypto and signing technologies, don’t want to learn them, and shouldn’t have to.
If you can get new arrivals signed up quicker with less work, that’s a good thing.
If you can get people you know signed in quicker, ideally with one click, that’s a good thing.
People are paranoid and really don’t want to be in the headlines for next week’s embarrassing password leak.
People don’t want to think about privacy and tracking and transparency, but the risk of not doing so (just) exceeds the pain.
People like the notion of outsourcing the icky identity work, but are nervous about putting all their eggs in the Facebook’s or Google’s or Yahoo’s or whoever’s basket.
On the other hand, having a cluster of Sign in with... buttons on your landing page dilutes your brand and feels like watching NASCAR on TV.
So, those are the problems I want to talk about. And I want to hear whether what we’re doing sounds sensible, and what the other problems are that we haven’t been smart enough to spot or address.
What Kind of Events · There’s a whole “Identity Ecosystem” subculture out there, check out Identity Commons and the IIW meetings. These people have been doing the thinking behind the technology that I’m now working with, and I’m grateful to them.
But I want to go where the app builders are, not the Identity wonks. My heart is with the Web-centric/startup/open-source cultures, but Enterprise developers hold up half the sky and I need to talk with them too.
Basically, I’m looking for the kind of event where code samples are expected.
What I Can Offer · Organizing something for developers? I bet they’re worried about identity. Maybe they’re not terribly interested in it, but they know it’s an ugly problem that’s not going away, and I bet they’d want to hear where the technology’s going.
I’ll drop an identity-session proposal into the CFP of events that look interesting. But hey, if you’re also interested in an uptempo Google-looks-at-life or Internet-stress-points session, or fire-’em-up keynote, I can do those too. Lots of people think I’m entertaining; it’s mostly because I get super-energized when I’m hanging with my tribe.
And hey, I don’t have to talk. If there’s something that’s really can’t-miss, I’ll just go. Anyhow, most good events have BOFs and unconferences and so on.
Concretely · I’m already signed up to talk at Devoxx; giving a Googley keynote and an identity session. It’s exactly what I’m looking for; thousands of developers, every kind of them.
But my 2013 calendar is open. I’m thinking I gotta hit some Web-centric events like Railsconf and the PHP-oriented meetings but, to be honest, I’m a bit out of touch with what’s good, after two years of tight Android focus and doing mostly Google events.
I look at Lanyrd and I feel like my head’s going to explode. I mean, wow.
Ping Me · If you know of an event that you think needs an Identity injection I’d love to hear from you. You can comment on this piece, but I’ve also asked for input over on G+, and it’s a way better place for free-form discussion; if a few suggestions get a lot of +1’s from people I respect, I’ll take that seriously.
Comment feed for ongoing:
From: Murat Aydin (Oct 11 2012, at 11:57)
Hi Tim. You are invited to Android Developer Days 2013. Last year's Photos,presentations and program of the conference is here: www.androiddeveloperdays.com
From: Dirkjan Ochtman (Oct 11 2012, at 13:18)
- I'd add developer-side complexity. OAuth notably fails there.
Personally, I still think Mozilla's Persona is shining in this space, currently. I think it's been mentioned before in your comments, here or on Google+, and I feel it would be good if you wrote up some thoughts about it.
Things I like about it:
- Email address is identity, which feels about right and seems easier than OpenID's URL is identity.
- Decentralized; you can run your own idP and I think there's delegation.
- Strong crypto to back it all.
As a web developer, I really don't want to deal with login details and authentication. Any solution should solve most of that for me (and get me an instant base of users who can trivially login instead of having to register).
On the Google side, Google Authenticator is pretty good. Strong crypto, pretty good usability, open source app(s?) and based on IETF-blessed standards. One minor nit there is that it's a bitch to bring over your two-factor authn to a new(ly installed) device because you have to disable, then re-enable it.
From: Avi Flax (Oct 11 2012, at 13:19)
I recommend Strange Loop in St. Louis and Emerging Technologies for the Enterprise in Philly.
From: Paul Hoffman (Oct 11 2012, at 14:00)
I'm happy to be finally seeing folks getting serious about starting the death of passwords; I'm happy to maybe be part of that with HOBA (http://tools.ietf.org/html/draft-farrell-httpbis-hoba). Your plan for 2013: make sure folks other than Google understand Google's desires are helpful for everyone.
From: Dave Pawson (Oct 12 2012, at 01:12)
Tim, don't forget to talk to the Chrome guys? The other nausea is filling in the forms with name/ads/phone..... Having that 'right' and stored helps lots.
An alternative to captcha that works (for all) sensibly would help.
From: Ross Reedstrom (Oct 12 2012, at 10:12)
Open source libraries are a particularly good way to spread a standards-based (even if defacto) best practice. The problem with most events is that their either preaching to the choir (identity/security focused) or can't reach a critical mass, because they're focused on a specific technology (Python vs. perl vs. ruby/rails etc.) Given all that, perhaps you could sneak into the GSoC mentors summit, in two weeks (right I know it's not 2013) Seems like it's going to be a nice cross section of open source, all techs, with people already talking interop at various levels. Even without you, I think I'll go upvote anything having to do w/ identity in the proposed schedule (which seems to be nothing at all. *sigh*)
From: Boris Mann (Oct 12 2012, at 10:23)
We're going to do PolyglotConf again this year, some time in late May. I've put a placeholder on Lanyrd. http://lanyrd.com/2013/polyglotconf/
I think a workshop on identity / account systems on the Friday would be super well attended.
From: dete (Oct 13 2012, at 23:03)
I would like to see a system that recognizes that people have facets, and don't necessarily want their Facebook identity cross-linked with their reddit identity cross-linked with their Linked-In profile. I am very different people in those communities, but I still want single sign-on to work between them.
My ideal system would have three kinds of identities:
1 - My real identity, with all my real information (up to and including phone numbers, address and credit cards if I want). It'd be awesome if some of this could be verified. (Yeah, I don't really know how that scales either.) You would never use your "real identity" directly to log in to anything.
2 - Quasi-anonymous identity. A "handle" that is linked to my real identity, but NOT PUBLICLY. This could use my real name, but doesn't have to. I would have to explicitly opt-in to include data from my master account in those identities. I could have several of these, depending on the nature of the account. (One for gaming, one for business, one for family.) There would be a way for me to provide proof (cryptographically) that any two of my own quasi-anonymous accounts are linked, but no mechanism (short of law enforcement) to infer the link otherwise.
3 - Truly anonymous identities. You could implement these as "real identities" that simply have dummy or missing data, but I think there's value in explicitly calling out that an account is intentionally anonymous. These allow you to maintain a profile (and thus a reputation) across sites. You could click on a verification link to see that the "Jon3z" that just posted to Ongoing is the same "Jon3z" that has an account on G+.
From: DC Dan (Oct 14 2012, at 11:53)
I don't undertand why the system used for SSH keys isn't more widely deployed for authentication needs.