Authentication War

Today I read a news about yahoo's new BBAuth. Like MS's Passport/LiveID and Google Accounts, now these three bigest freemail/webapp vendors have join a authentication war.

When I start to design eyou.com's passport mechanism at 2005. I thought we can deliver a similar API to encourage 3rd-party developers creating their webapp based eyou.com's passport. Even we would extend the passport network to all email servers that were deployed in CERNET campus. Anyway, now eyou have focused on zhanzuo.com service, and I have no chance to implement the crazy idea.

To owner user's authentication data means you taking the charge of saving it safely. You should provide HTTPS connection, recruit high credence employee to maintain the database, defend hackers from everywhere, etc, etc. On the other hand, it is difficult to get a new user to register in your site . So I think Passport/LiveID, Google Account, BBAuth are very important services for startups. They don't care auth/reg problem anymore, and just focus on their core competence.

Before I read the news about BBAuth, I tried create a sample app to use LiveID and Google Account API. It seems that many problems exist. MS maybe release their API(web version) at 2007 and nobody know whether the service is free. (Considering competitors, I think LiveID would be a free service). Google's API is very simple and my test php script passed test last night. But it only support google calendar service by now. If the google account have not registered google calendar service, then I can't fetch it's email address info (I known a google account login my service but I can't identify who is it).

Google Account Service include 2 steps, authentication and authorization. Verifying email/password pair is authentication. Fetching the account's email address info is authorization. It seems that there is only one authorizable service (google calendar) and the support from google is bare.

Welcome to Authentication War, Yahoo!. I wish the action spur ms and google.