That "XML" sucks thing is why we don't have single-sign on (YuBiKey is doing a great job getting half way there though). We keep on reinventing the wheel re: authorization & authentication despite the fact that there are well-defined, cryptographicly secure[0]. SAML2[1] has been standardized, implemented, operates in a similar fashion to SMTP/Kerberos (i.e., your identity is established (i.e. authentication) purely through a trusted-source), after which you can proceed.
* This eliminates the whole issue for users (I don't want to have to remember 40 million passwords, and I don't want to rely on Google as my SSO).
* It helps the developer because all he has to do is implement one protocol (rather than make 8 different accounts to register passport.js with).
* It helps the tin-foil hatters like me, because I can revoke access from any source at any time & if my account gets compromised I call my buddy Bill hosting the IDP and invalidate my credentials.
It's SMTP mail back in the late 90s when your buddy ran his own server as your primary MX, and his buddy as a secondary MX (i.e., you host an IdP similarly to hosting a mail server).
I've been working on this problem on and off for about 10 months, the last 4 of which have been fairly rigorous. I've got a solution for the "buddy" willing to host the IdP. https://github.com/bergie/passport-saml is a low friction add-on to your node app for the developers. The last piece of the puzzle is dev adoption (i.e., getting traction on par with LetsEncrypt) to actually spend 5 minutes for that passport-saml stuff.
The other issue is developing an easy solution (easier than SSO with Google) done by mobile App authentication. User-flow is basically: you click "Login with <name>", the IdP forwards the message to your mobile via APN, and you swipe left or right to auth. That's the last technical barrier (user adoption is 80% of the problem). I need to take ~3 mo off and pony up high-five, low-sixes in fees re: getting a great UX guy (I'm abysmal [[if you're great at UX, contact me]]), lawyers, liability insurance, a security firm to audit, etc (there's already a monetization model for this venture, though the whole thing will be GNU AGPL[3] / free for universities / research institutions, etc.)
[0] Like, in the formal mathematically proven sense, both in concept, and implementation (though which one slips my mind).
[1] http://wso2.com/library/articles/2010/07/saml2-web-browser-b...
[2] Encryption is basically a subset of privacy, which I think we have a constitutional right to, though other people object.
[3] The whole point is to do this first as a human good, but profiteer off expensive licenses a la Exchange modules, et al. I don't really want to shop around Sandy Hill but if any of you successful Angels (who are historically privacy advocates, I'd give Karsten Nohl or DJB (or hell, PG if you're reading this message haha, 30% and 2 seats in a second, but Larry Ellison could offer 3MM for .1% and that meeting would conclude rapidly) are interested, e-mail me me -- we'd be able to go to market a lot quicker with 2 or 3 FTE's. I'm going to complete this anyways, but we're fighting cryptowars again so there might be a rush.
