I agree with that sentiment, and I have tried to contribute in the past, but then again, you have to choose your battles. Making the kind of impact on auth that means I, or anyone else, will not have to deal with rubbish systems in the future is a big task.

It is one thing to write the needed software, it is a much bigger task to convince enough companies that they need a different approach to this problem.

However, what I can offer is that if someone has the backing to actually make a difference in this market, I'll volunteer 50 hours to act as a reviewer and test developer. But that is if your project is backed by someone I believe can make a difference.

FWIW, as a regular user of login.gov, from the outside, it looks like a well-designed system. I am able to add strong forms of 2FA (e.g., security keys or biometric authenticators), it requires strong passwords, etc. It also has decent developer documentation, has a support process, and comes with a vulnerability disclosure form baked into the main website. However, I have not used their API, nor have I seen any of the code (although I wonder if a FOIA request would actually compel them to give it to you).

The first bullet point on the /partners page of login.gov (regarding who should use it) says:

> You are part of a federal agency or a state, local, or territory government

I'm talking about a more generic service that any random industry system or individual can use. The way many websites use Google's OAuth without using really using Google's APIs. Things that just want someone else (Google) to handle asking for and authenticating a name/password.

Americans as a whole are so allergic to government doing anything that we can't even get a national ID system nor a centralized database of gun sales or ownership. The bogeyman of evil Big Government, privacy, and censorship gets invoked. It's fine if the Free Market does it, so Google, Facebook, Amazon, Twitter, Microsoft, et al get a free pass.

> Trusting Google's OAuth not to vanish overnight

Sorry if I wasn't clear. It is not that google will remove the service overnight (although they are infamous for canceling things, but not that bad). The problem is google will lock out users randomly for no reason and no recourse.

If that user was using google login to access your service/tool, you lost that user and there is nothing you can do. You really don't want to gate the access to your product via an unreachable unresponsive third party like google.

Many well-established web frameworks have plugins or components to handle user management out of the box, with sane defaults. Nobody should have to roll them by themselves with each hobby project. You're probably using a similar plugin to integrate with Google anyway.

Ah, but there are third-party services that provide identity verification, such as id.me. And now that there are for-profit entities involved in a government service, you will never be able to convince the government to implement their own solution. It's telling that id.me is headquartered in McLean, Virginia; gotta be in the DC metro area so your lobbyists have easy access to Congress.

I think that is the goal of https://id.me

Would that be https://id.me ?

It's what the IRS uses.