A year after Google released their account authentication system, why are sites still asking for passwords that most users don’t even give their loved ones?

Spock is a useful tool for searching people. It just came out of beta.

Plaxo is a handy web app to sync your phone, email, and everything else.

Facebook and MySpace are, well Facebook and MySpace.

Wheat do they have in common? When signing up for any of these, users are asked for the name of their Google mail account, so the tool can access their contacts.

Then they’re asked for their Google password.

The sites want credentials that could not only be used to access the user’s contacts, but also their…

• search history
• GMail
• Google calendar
• all their other Google stored data

Most people don’t even share their passwords with their spouses - why would they give it to an third party website on the internet?

Even if the user chooses not to provide their passwords to these sites, why trust a site that asks for them?

Google loses out too, with the added support burden of users who’ve given their passwords to websites who may not have handled them securely. When these sites are compromised, having a few thousand Google passwords leaked would tarnish Google’s name through no fault of their own.

Additionally, since popular sites are letting users think it’s OK to enter their Google password into non-Google site, malicious sites will use this for phishing scams. And they’ll succeed.

So how can Google fix this?

The Page You’ve Never Seen

Google has an API to allow third parties to let users securely log in to their sites with their Google credentials.

When users register to websites, they’re directed to the Google Access Request page to enter their credentials and tell Google whether they want to allow the third party site to access their account. The website can still work with the users addressbook, or calendar, mail and other services (the user determines which ones - in the screenshot below, the calendar) but never receives the user’s actual credentials.

This page has been around for a year. Ever seen it before?

Us neither. That’s because nobody uses it.

The Basic Steps

Why don’t the websites use the Google Access Request page? And what can Google do about it?

The following would be a good start:

• Educate users about where they should (and should not) enter their Google password. Think of all those phishing warnings you see when you log into your internet banking. Users should only give their Google passwords when google.com (or their local version) is in the address bar.
• Make sure sites that use Google’s logo handle passwords properly. Third party sites like MySpace currently ask for private credentials with Google’s logo right underneath, in a manner that may falsely suggest Google could be endorsing the site asking for or handling user’s Google passwords.
• Change the terms on service for partnering agreements (eg, embedding Google search on the site) to include terms for handling users private data - ie, the partners should not ask for any passwords for other sites.

But here’s a better idea:

Help third party developers make that authenticate to identity providers. Why should app developers have to create separate code to support:

• Google Accounts
• Facebook identities
• Microsoft LiveIDs

and so on? If Google adopted (and improved) OpenID, rather than their own identity standard ala Microsoft’s doomed Passport effort, site developers could implement support for Google, AOL, Livejournal, employers (eg, Sun), and every other OpenID identity provider in one hit.

Free of the artificial limits imposed by proprietary standards, OpenID has an inbuilt network effect - every additional user makes the service more valuable for the existing users, as it becomes easier to join and use new communication tools. Want to add a friend on a Blogger to your Livejournal friends list? OpenID makes it possible.

Like any successful tool utilising network effect, OpenID doesn’t exclusively rely on that effect: much in the same way Delicious provided a way top share bookmarks between computers prior to it being used as a social tool, OpenID users can immediately join new services with giving away their existing passwords or creating and managing new ones. Find an interesting service, but don’t want to bother with the account creation process? OpenID allows users to simply approve or deny access to their details, without re-entering them.

Application owners don’t have to support the latest proprietary identity scheme, and gain users who may not have been bothered registering before.

The value of the network will increase logarithmically every time a user or app is added. Google doesn’t need to be onboard OpenID for this to happen, but Google adopting the platform does push OpenID further along the curve.

Sure OpenID is not perfect - for one thing, it needs to allow email address based ID rather than domain based account names (user.company.com). But Google has tried proprietary authentication schemes - they’re not being used.

A better solution needs to be found before Google and it’s users suffer the results or trusting somebody they shouldn’t.

This entry was posted on Thursday, August 23rd, 2007 at 10:48 pm and is filed under Design, Startups, Web applications. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Simple moderation policy:

• Contribute something
• Justify your opinion
• Be courteous to others