As of July 1, I’m moving from Google’s Android team to our Identity group, to work on OAuth, OpenID, and that sort of stuff. Back to being a full-time Web guy, for a while anyhow.

Why? · Several reasons. First, it was made increasingly obvious to me that I wouldn’t be successful in the Android group unless I moved to headquarters, which really isn’t an option for me.

Second, Android has the best engineering team it’s ever been my privilege to work with, but it’s sort of a silo, and all-engrossing; It’s easy to lose sight of the vast and wondrous landscape of online technologies and cultures.

Finally, I did a lot of work in recent months on the soon-to-launch Google Play Services, in particular getting the OAuth stuff working end-to-end from an Android app through a frightening number of moving pieces, through to the identity back-end. (I’ll probably have a final piece on the developers’ blog about that work.)

I’ve become fascinated by the tech and policy and developer issues around OAuth, and two things seem obvious to me:

  • Usernames and passwords generally suck and obviously don’t scale to the Internet, so we need to do away with ’em soonest.

  • The new technology coming down the pipe, OAuth 2 and friends, is way too hard for developers; there need to be better tools and services if we’re going to make this whole Internet thing smoother and safer.

In the new role, I’ll probably be getting out more; there are buttloads of conversation and lobbying and listening to be done around identity and authorization technologies, which can by definition only work in a meaningful way when multiple un-related parties get together to make it happen.

On Google Generally · I remain a huge fan of Google and what it’s trying to do. Google’s business bets all depend radically on a diverse, heterogeneous, safe, easy-to-use Web; and that’s what I care about most, professionally.

I think that Google’s many critics are mostly wrong. I have issues with some of the things we do, but there are lots of places internally to holler in a way that’s hard to ignore; and I think that at most other places, I’d have more to holler about.

I have two problems that may limit my future here. First, much of the company, like Android, is radically centralized, and not in good harmony with my need to telecommute. I’m optimistic that the identity gig will have less of this friction, because it needs to span not just the company but across companies and thus will require decentralized work. But we’ll see.

My second gripe is that, as a Googler, there are so many interesting subjects I can’t write about. You can bet that I have powerful opinions about the flurry of patent litigation, about things that Google and our competitors are doing, and about the industry in general; some of them might surprise you. My opinions may be wrong, but they’re (I think) unusually well-informed, and I bet I could make them entertaining.

But either they’d be things that are just inappropriate to say about your employer or competitors, or they’d been heard as being spoken in Google’s voice.

I’ve seriously thought about setting up as an indie like John Gruber or Horace Dediu, focusing on Google and Mobile. And maybe I will. But for the moment the identity thing has its hooks way into me, I’m proud to be a Googler, and expect to have fun.



Contributions

Comment feed for ongoing:Comments feed

From: Thomas Schranz (Jun 29 2012, at 12:42)

Great observation regarding the need for good oauth2 tools and easier to implement identity protocols. What became of oauth 'light'?

I'm also looking forward to the app engine API endpoints that were recently announced at Google IO. Will you support the people who work on that? :)

[link]

From: Steven Garrity (Jun 29 2012, at 12:48)

What's your opinion on Mozilla’s Persona (formerly BrowserID) project?

http://www.mozilla.org/en-US/persona/

[link]

From: John Cowan (Jun 29 2012, at 13:28)

The funny thing is that Google is a distributed company that thinks it's still centralized. As of 2010 when I left, the Percent system claimed that only about 45% of Google engineers were in Mountain View, and I bet the percentage has shrunk since then.

[link]

From: Andrew Ducker (Jun 29 2012, at 14:17)

I'd also love to know what you think of Mozilla's BrowserID/Persona approach. It looks like it could be a properly federated identity system that takes off where OpenID never managed to, and I'd love for that to happen.

[link]

From: Pat Patterson (Jun 29 2012, at 16:14)

Hey Tim - Android's loss is most definitely identity's gain! Looking forward to catching up with you on the 'circuit' - are you going to be at Cloud Identity Summit in July, or Internet Identity Workshop in October?

[link]

From: Hal Helms (Jun 29 2012, at 19:33)

Tim,

I've been where you're at (figuratively). When you're finally done with Google, I predict, you'll see what others could see but you could not afford to vis-a-vis Google's real nature.

But enjoy it while it lasts: just don't lose yourself so that when you're done with Google, you still have a you left that people respect.

[link]

From: Tony Fisk (Jun 29 2012, at 19:40)

Future thoughts... start a Vancouver Hub Space?

http://www.the-hub.net/

[link]

From: Eric Mill (Jun 30 2012, at 00:46)

This all sounds extremely agreeable. Of all the things that need work right now on the open web, it's identity. OpenID is failing, and needs a boost. There are proposals around OpenID Connect, and BrowserID, but nothing is catching yet. We need something to catch, and desperately. Thanks for working on the problem. Let us know how we can help.

[link]

From: Craig (Jun 30 2012, at 03:08)

Agreed on OAuth being too hard - but that's not the issue (there will be frameworks.) The issus is that it sucks from a users perspective on mobile (switching out to browser/website then back to app.)

[link]

From: Matěj Cepl (Jun 30 2012, at 04:27)

Yet another voice for BrowserID ... what do you think about that?

[link]

From: Dirkjan Ochtman (Jun 30 2012, at 07:22)

Count me in with those who want your opinion on BrowserID/Persona.

Also, with the ones who would potentially throw some money your way if you do decide to go indie.

[link]

From: John Battelle (Jun 30 2012, at 09:01)

Tim, very happy to see that you're doing this. I'd love to chat.

[link]

From: Bud Gibson (Jun 30 2012, at 10:23)

Yes, Google is extremely centralized as is the whole Valley. All those studies on Group Work from the 80s and 90s stating that people are much more likely to work with folks in the same building continue to hold true today. I think you could make it as an independent, but that may not really be your DNA. I think it would be a shame for Google to lose you.

I've enjoyed your commentary. Yes, identity is a big issue, and yes, it's way too hard.

[link]

From: Fred Grott (Jun 30 2012, at 11:56)

many of us Android developers also see the OAuth to hard for developers as a barriers to us also, glad you are attacking those issues

[link]

From: Asa Dotzler (Jun 30 2012, at 12:14)

Tim, I'm sure you've already got some opinions on BrowserID/Persona and I share an interest in those with several of your commenters.

More importantly, though, I'd like to make sure you've got good contact info for Thunder and Ben who are leading up that effort. If you don't, please email me asa@mozilla.org and I'll make the introductions.

[link]

From: Rachel Luxemburg (Jun 30 2012, at 13:25)

"...either they’d be things that are just inappropriate to say about your employer or competitors, or they’d been heard as being spoken in Google’s voice."

Agreed, but I'd add that this is not a unique problem to Google. Rather, it's part of the price one pays when choosing to work at a high profile company.

[link]

From: Sid Sidner (Jun 30 2012, at 13:48)

We'd love to have you join us at the Cloud Identity Summit in Vail, duing the week of July 16th. I'm sure you'd find it stimulating, and fun.

Look me up - I'm the very tall, old guy ith white hair.

[link]

From: Peter Kasting (Jun 30 2012, at 19:19)

Tim, FWIW, I'm on the Chrome team and while we have a big presence in Mountain View, I don't think we're too "radically centralized" -- lots of other teams all over and I personally am telecommuting all summer and not having any problem.

Just in case you want to look at yet more teams :)

[link]

From: orcmid (Jul 01 2012, at 12:58)

I'm a little concerned about identity and authentication being made easy for developers. I understand the desire, but it also strikes me that the pickle we're in is about developers and system operators using easy approaches badly. I also recall the readiness of OpenID acceptability was over some sort of visceral objections to what was thought too hard and now having to be reinvented yet again because the too-hard problem did not magically disappear.

There needs to be something that is simple, safe, and understandable for users. Users should be able to ascertain what the details are even if for most it will have to be a matter of blind trust.

And I'm happy to see your attention returning to broader issues, including identity and authentication.

[link]

From: Ryan Collins (Jul 01 2012, at 14:03)

What's wrong with Oauth 2? I used it with a personal project, and found it to be a breeze to use. I was able to implement it in PHP without relying on work by others.

[link]

From: Jonathan Story (Jul 01 2012, at 22:07)

Google's centralization comes as a real surprise to me. I was thinking that Hangouts and other goodies would be making location secondary. Are there collaboration tools that are still missing, I wonder, or is it mostly a matter of making sure that secret things are kept secret?

[link]

From: len (Jul 02 2012, at 12:50)

That could be a perch with a good view. If as I am reading, Google+ is just "the new Google", that is, Google is a family of applications united by identity, then you're in a good position once again to help invent the future, at least, of Google as an enterprise application farm.

It will be interesting to see how it works out regards the hubbub over Do Not Track. It seems there are very few interesting web problems left that aren't partially or more, social challenges. Good luck!

[link]

From: Keith Wansbrough (Jul 06 2012, at 17:35)

If you're doing work in authentication, you should read the recent Cambridge paper which sets up a comprehensive set of evaluation criteria. It looks like a great framework for making decisions in this area. "The Quest to Replace Passwords", http://www.cl.cam.ac.uk/~fms27/

--KW 8-)

[link]

From: Robert Bosman (Jul 18 2012, at 13:44)

Identity is essential for any human interaction and collaboration. And, no doubt, collaboration we need on a global scale to face today's problems and to turn this struggling society into a truly happy planet for generations to come.

It was Napoleon who initiated identity and ID-registers and thereby created the path for today's interconnected society.

Today's Internet is - despite all of it's greatness - from an ID perspective still a Wild West and needs it's own Napoleon, the one who can inspire the co-creation of an ID-ecosystem: interrelated and continously auto-verified ID's of individuals, organizations, subtorganizations and roles, that together can create the pth for the Collaborative Society of the 21st Century.

Tim, I am following you for many years now. And I am so happy to learn that you will devote your talents to web based ID's!!!

No, you don't have to become the next Napoleon, neither be banned to Elba (let's be honest: Vancouver is way better ^-^). But no doubt you've the talents for an other unique contributions to the Internet and with that to the future of men...

[link]

author · Dad
colophon · rights
picture of the day
June 29, 2012
· Technology (90 fragments)
· · Android (64 more)
· · Identity (44 more)

By .

The opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.

I’m on Mastodon!