Facebook Connect / Single Sign On platforms
A short note:
I was talking with someone earlier who was excited about the prospect of using their Facebook account to sign on to “all of their favorite web-sites, e-mail, banks …” This is certainly the direction that Facebook would like you to go.
To borrow a line from the recent Battlestar Gallactica TV series: “This has all happened before, and it will all happen again.”
Indeed, this has all happened before. We’ve seen Microsoft Passport try (and fail) to provide this very same solution. Back then, it was lack of trust in “big bad Microsoft” that caused Passport to fail as a Single-Sign-On (SSO) platform.
After Passport, we saw the OpenID take hold. While not as widely criticized as passport, OpenID has also failed to gather a significant enough following to make it a “success”. The reasons for this lack of success are many, but it is partly due to it’s complexity both in implementation by web-developers, and in use by the end users.
So, let’s come to the present. Let’s say Facebook, Google or some other organization comes up with an SSO solution that’s simple and trusted. I will still not use it, and I would not recommend that you do either.
Why not? Easy: It is a huge single point of failure!
Let’s take the least likely case first: Let’s assume that the SSO provider has a catastrophic system failure and they can’t authenticate you. You would be locked out of every single web-site that you use that ID for. When you have separate IDs and separate log-ons your interruption is minimal, and limited to one or two systems. When all of your systems rely on one authentication, and then when that authentication goes down, you lose it all.
The next single point of failure scenario is one that worries me much more: What happens when your password is compromised? This could happen today, and when it does you’ve been compromised on the one web-site that you had that password for. (Unless you were foolish enough to use the same password on every web-site!) With an SSO solution, you now have lost control of EVERY web-site you use. Imagine if your bank accounts, e-mail accounts, utility company accounts, and everything used the same SSO for authentication? You are beginning to see the problem.
Kudos to these companies for their effort to be inventive, but to me, rushing into SSOs are foolhardy at best, and downright dangerous at worst.
December 3, 2010 at 12:41 am
“Interesting first point, however I disagree mildly, with Facebooks implementation of Facebook Connect, it allows you to tie your websites login to facebook, not just use facebook as the authentication method. For instance tv.com, imdb.com, tripit.com, woot.com all allow you to tie it in. You still have your individual login, yet facebook (and google’s implimentation) simply relate your existing login so that if you are logged into facebook already (or google) you can pass authentication.
The real argument I think should be your second point that once you do this, and even in order to do this, you have to allow that SSO vender access to that account.
All someone would need to do is hijack your facebook account, and suddenly they have access to all the available websites you’ve given Facebook Connect permission to authenticate you… a list of which can easily be obtained from within your facebook page under your account settings.
“Hey, since youve gotten into my facebook page, here’s a handy dandy list of all the other pages you know have easy access to as me…”
To add to the point though, to me THAT IS SCAREY AS SH!$. To allow a single vendor the ability to track what websites you log into, to allow a third party to be able to authenticate you.. even without the hacker aspect, you are turning over a lot of power to a corporate entity about yourself and your privacy. I’d rather get groped by the TSA
That is the more compelling argument for not using it in my eyes.”
—-
Damn, I hit post before I finished editing my comment. I was going to tie it in to your second point since it addresses it directly…. but now I’m lazy, so just assume I tied it all together nice and neat like.
December 3, 2010 at 12:50 am
I only got your second comment. So it was bizarre, but made me laugh. :/)
December 3, 2010 at 1:43 am
Comment
Interesting first point, however I disagree mildly, with Facebooks implementation of Facebook Connect, it allows you to tie your websites login to facebook, not just use facebook as the authentication method. For instance tv.com, imdb.com, tripit.com, woot.com all allow you to tie it in. You still have your individual login, yet facebook (and google’s implimentation) simply relate your existing login so that if you are logged into facebook already (or google) you can pass authentication.
The real argument I think should be your second point that once you do this, and even in order to do this, you have to allow that SSO vender access to that account.
All someone would need to do is hijack your facebook account, and suddenly they have access to all the available websites you’ve given Facebook Connect permission to authenticate you… a list of which can easily be obtained from within your facebook page under your account settings.
“Hey, since youve gotten into my facebook page, here’s a handy dandy list of all the other pages you know have easy access to as me…”
To add to the point though, to me THAT IS SCAREY AS SH!$. To allow a single vendor the ability to track what websites you log into, to allow a third party to be able to authenticate you.. even without the hacker aspect, you are turning over a lot of power to a corporate entity about yourself and your privacy. I’d rather get groped by the TSA
That is the more compelling argument for not using it in my eyes.
December 28, 2010 at 5:53 pm
I absolutely agree about password security. When any service allows me to register using a unique name and password, I opt for that rather than logging in via another service.
As for OpenID – how many are there! .net .com .dot?