> If Palo Alto Networks was going to do identity, they had to do it big.
> Commercially, there was no way they were going to build a successful identity business if they had just picked up a bunch of small companies and tried to put them together. They needed to bootstrap their entry into the market, so a scaled acquisition made sense.
> The identity market is at a completely different level of maturity compared to the situation when Palo Alto Networks built its cloud security business by stitching together smaller companies. That approach worked because the cloud security market was still forming. There essentially was no market leader to acquire.
> Identity has been through multiple generations of market leaders (Sun, IBM, CA, Oracle, and others. The market has already gone through multiple phases of disruption and M&A. For the most part, we've seen it all.
> Currently, we've landed with a handful of specialist identity players — some public, some owned by private equity firms. You know them: CyberArk, Okta, SailPoint, and Ping Identity. And then there's Microsoft. We'll get to that.
> Palo Alto Networks had zero chance of competing with those four companies (plus Microsoft and the other incumbents who still hold material market share) by building, buying, and partnering their way to a coherent identity offering.
> If there was one market where a massive deal had to be done, identity had to be it.
My read of that is basically they are buying a fast growing, big player in workforce identity that they can integrate in with their next generation security platform.
"hey guys check this out i figured out people will pay anything to avoid dying on the streets haha supply demand number go up. what about if we do food and water next"
Yeah, I attend the FedCM meetings. Firefox has one dev working on it who attends regularly. I have found some posts where the safari team has said "seems like a good idea, we'll consider implementing" but have not seen further action.
Edge supports it, and it should be relatively easy for the other Chromium based browsers.
The Chrome experience is actually part of a new standard, Federated Credential Management (or FedCM for short).
The idea is to create a browser mediated login experience that gives the identity provider and web app what they need without being able to correlate requests across the Internet.
I am working on an article on this topic. If you are interested in learning more, here's a video from a recent auth focused conference (full disclosure: my company put it on and I emceed): https://m.youtube.com/watch?v=FBAD4x7MWdI
They are actively working on the standard and Firefox has committed to it. Edge already supports it. They are looking for identity provider feedback.
I don't speak for Mozilla, but I did see a bug in bugzilla which showed the blocking bugs for FedCM. I don't have the link now, but can share it later. That's what I thought of when I stated Firefox has committed to it. But I could be wrong.
If it's a new standard, it must have… some kind of cross-industry support right? I ask because it looks like https://github.com/w3c-fedid/FedCM/graphs/contributors is mostly people who work at Google (I gave up once I hit people with ten or fewer commits)…
Isn't that the case for half of modern browsers APIs? Google develops whatever it needs for its own products into Chrome and then pushes it to W3C. Other browsers perpetually behind. They've gotten quite good at this strategy.
While most of the contributions I have seen are from Google on the browser side, they are trying to work through the standards process. Here's the first draft of the w3c standard: https://www.w3.org/TR/fedcm/
I know there's a later draft but can't find it right now. Will share when I do.
As mentioned in sibling comments I have seen are least on Firefox contributor and they are actively seeking input from identity providers.
As usual, the feature is being railroaded by google and other implementers are given the choice between following Chrome's de-facto choices or not implementing it, and breaking websites that will use it anyway.
My gmail is quite old and well used, and it gets relatively little spam. I go through and aggressively unsubscribe link everything I don't want to see, and it surprisingly works. I get more spam on my @myname.tld address than my gmail even and I keep that one quieter.
Almost every site actually does unsubscribe, and those that don't get marked as junk.
And we should also do something about website that consider you a "customer" when you've only started an order and entered your email but you've never pressed submit to complete the order.
I guess "often" is relative, but this happens to me pretty regularly.
I live in Canada, and it's not always obvious if an American company ships here or not. If the answer isn't trivial to find, I'll do this:
1. Add something to the cart
2. Start the checkout process as a guest
3. Fill in the boxes that pop up during the checkout process
4. Close the tab when I see that the country dropdown only has USA available
On most websites these days, you're asked for your email before your mailing address. And after I abort the checkout, I'll get an annoying "Psst...you forgot something in your cart" email a few hours later even though I never made an account or placed an order with my email.
Stores built with Shopify do this so consistently that I have to assume it's an out-of-the-box feature you need to opt out of.
I don't generally want any site to have anything they can use that associates me with other sites. If 2 sites get the same email for me or the same GAIA id, or the same anything then I won't use the id system. (with obvious exceptions - see below)
This includes "privacy first" companies like Apple and their Apple Pay system where I went to a restaurant in SF. The bill was a QR code that took me to Toast with the option to pay via Apple Pay. The apple prompts told me my email address would be shared and there was no option to say "no" so I bailed out and paid the waiter directly.
Sometimes I need my real name and address for shipping. In those cases that can't be helped. I also have to give my CC card for a purchase. But there are sites I want to sign up for for which I don't need to give that info. A "one click to sign up" option would be useful if I knew it was giving random data. An example might be medium.com or substack.com. They don't need my real name nor do they need my "real" email. If I was sure this "one click sign up" didn't share a common one I'd consider using it.
Maybe even better, if it was managed similar to subscriptions in iOS where I could trivial revoke any membership at will from a central location, with the understanding that there'd be no recovery since signing up again would get random new data and so no way to associate the new with the old.
I'm curious - how does the standard make "to continue, google.com will share your name, e-mail address and profile picture" compatible with "a modern, privacy-preserving standard for federated identity on the web" ??
I mean, that doesn't sound privacy-preserving at all?
I don't think they are trying to preserve privacy between you and the identity provider you are logging in with and the website you are logging into. (At least not now. There's talk about some of this with IDP delegation, I think. Here's more on that: https://github.com/w3c-fedid/delegation )
The first goal is to prevent data brokers from correlating data about users across the Internet using cookies and redirects. You can read more about the privacy focus here:
It refers to the property of FedCM that means nothing about your account is revealed to the website until you click the "Continue As" button. In other words, alternatives to this that use third-party cookies enable tracking you between websites without any user interaction.
Why would you share your real name with Google when making a gmail account, or use your real picture?
It's fine to be pseudonymous on the Internet if you are in control of your pseudonyms, which Google accounts actually does allow with some extra work (don't mix your chrome profiles and Google accounts, etc.)
Or, like me, you can roll the dice on real names on the Internet (for professional things mostly)
> Why would you share your real name with Google when making a gmail account, or use your real picture?
Google made a big push in that direction starting in the Google+ era. IIRC at some point my fake names were rejected by Google and I had to change to more plausible fake names.
You can't fault regular people for falling into Big Tech's traps.
https://strategyofsecurity.com/p/the-case-for-and-against-pa...
From the article:
> If Palo Alto Networks was going to do identity, they had to do it big.
> Commercially, there was no way they were going to build a successful identity business if they had just picked up a bunch of small companies and tried to put them together. They needed to bootstrap their entry into the market, so a scaled acquisition made sense.
> The identity market is at a completely different level of maturity compared to the situation when Palo Alto Networks built its cloud security business by stitching together smaller companies. That approach worked because the cloud security market was still forming. There essentially was no market leader to acquire.
> Identity has been through multiple generations of market leaders (Sun, IBM, CA, Oracle, and others. The market has already gone through multiple phases of disruption and M&A. For the most part, we've seen it all.
> Currently, we've landed with a handful of specialist identity players — some public, some owned by private equity firms. You know them: CyberArk, Okta, SailPoint, and Ping Identity. And then there's Microsoft. We'll get to that.
> Palo Alto Networks had zero chance of competing with those four companies (plus Microsoft and the other incumbents who still hold material market share) by building, buying, and partnering their way to a coherent identity offering.
> If there was one market where a massive deal had to be done, identity had to be it.
My read of that is basically they are buying a fast growing, big player in workforce identity that they can integrate in with their next generation security platform.
reply