Will Facebook Become the Net's SSO?

lordDallan writes "Simson Garfinkel at MIT Technology Review muses on the idea of your Facebook account becoming an 'Internet Driver's License', ruminating on the idea of an individual's Facebook login becoming their single sign on for the web. I say NO THANKS!!"

If FB does become the SSO, at least do it right...

[mlts]

If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven:

1: Ability to have two factor authentication. OpenID isn't perfect, but one can use a VASCO token with it. The cream of the crop would be SecurID tokens. Of course, using SMS or apps on Android/iOS/BlackberryOS/etc. would be useful too.

2: If a site asks for authentication via FB, a way to ensure that the login page is genuine. PayPal is good at this. I worry about people getting spoofed by a SSL page with a FB login that isn't really from FB proper.

3: Better password recovery in case tokens get lost/stolen. At the minimum, better questions than "what is your dog's name?" Of course, the answers to these are stored as mentioned in #4 here.

4: Solid password storage. Crypto 101 here: You never store a password. Ideally, you never store a result value. What you store is some known text encrypted with the password hash (hashed a number of times to slow down brute forcing). TrueCrypt's password mechanism is the best out there.

5: A third party vetting this security mechanism. This doesn't need to be FIPS compliant (it should be though), but at least have some validation from an independent source that the authentication is done right, the data center is secure, etc.

6: SSL with all contact throughout the authentication process. This is a basic thing, but for performance reasons, sites don't like using SSL unless forced to.

7: Ideally, posting the SSL keys on some other source, so one can tell if a CA is spoofing the cert or not.

8: It's corny, but consider a unique login picture per user that is used at some sites, Yahoo being the most widely used. This way, when you enter your username, if you don't get the picture, you likely got phished.

9: Store passwords of unlimited length. I've seen too many sites which ignore any characters after the eighth one.

10: Have the ability to turn off third party logins either temporarily or permanently. For example, if one is going on vacation with no Internet connections, the ability to disable SSO logins until they come back is a solid security measure.

Facebook Soaks Up More Free Publicity!

[Anonymous Coward]

Getting tired of facebook and the attention whores who live there. Now they want it to be an SSO. Hey let's put all our eggs into a single basket, make everything depend on this single site that we don't actually control that can delete our accounts or pull its content anytime they want. Oooh ooh, and you surrender all control of anything you upload to it as a bonus which you'd know if you actually read its ToS/privacy policies! What could possibly go wrong if we used this as our SSO? Not a damn thing that's what. Proceed. Carry on. When it blows up in your face or an outage proves to you why over-reliance on a single site is a Bad Idea(tm) you'll understand why the rest of us didn't want to.

There's nothing novel or technically interesting about Facebook. It is not the be-all and end-all of useful tools. It's a way to build a vanity page for people who are too lazy to learn HTML. The appeal to lazy stupid people who hate learning something new is the only reason it became known to the mainstream popular media. That's all it is and ever was. End of fascination. Can we stop trying to find uses for it that have nothing whatsoever to do with its intended purpose? I mean hammers make wonderful paperweights but they're a lot more useful for driving nails.

Driver's License Photos

[BJ_Covert_Action]

Hehe, and we will look fondly back on the days when we thought having an embarrassing DMV picture on your driver's license was a problem.

I don't know if we could honestly implement this in any serious way. I know that 90% of what I post to Facebook is little more than crap, lies, and flamebait to prank my friends on the internet. There's nothing like watching one of your good buddies get all worked up over a Youtube video that doesn't really mean anything. Most of my FB contacts are aware of the nature of my profile, and, therefore, take my senseless BS tongue in cheek so it works out okay. If that profile starts being used as some sort of license (to do what exactly, access internet content?) then that license is going to be issued to a person that is fundamentally different in all dealings, social or otherwise, than the person that I am face to face, or, hell for that matter, different than even my Slashdot user account.

One of my coworkers likes to say that the thing people tend to forget is that the internet isn't real. I would say that goes doubly so for user made pages like Facebook, where you can post whatever you want after a healthy dose of Photoshop, trolled Wikipedia references, and sketchy video editing techniques.

Re:If FB does become the SSO, at least do it right

[Intrepid imaginaut]

If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven

So we can pretty much assume that people will sign up for this by the million...

OT (your sig)

[mcgrew]

Web 1.0 didn't sell much of anything; it was OUR web. Web 2.0 is when the corporations took over.

Facebook?! Really?!

[TaoPhoenix]

"...whether the Internet needs an "identity layer"—a uniform protocol for authenticating users' identities..."

Supplied by a top-5 candidate for privacy destruction? So we've had big computing companies battling it out to be the Web Gatekeeper, and they want to go "C-Other-Give it to Facebook" ?!

Simson is no expert

[Anonymous Coward]

I am posting anonymously because he knows me and I know him

Simson is brilliant and understands technology well, but he is one of those people for whom you "have to hold the bus" as another article puts it.

He tends to get too excited about technology and he misses many of the human factor issues.

For example here he gets all excited about using Facebook as a form of identification, but then he points out that Facebook is very quick to revoke your account. What good is identification if it can be revoked? If it really is "identification" then everyone needs to have it. Hey Simpson, did you forget about that?

Yeah, right.

[Jawnn]

The entire user-base of the Internet actually includes a significant number of people with clue. They are not going to go for this. So, a SSO for the clueless? Maybe, but nothing approaching the "driver's license" bar for credibility.

As a web application developer...

[Xugumad]

HELL NO

NO.

No, no, no, no, no, NOOOOOOO NO.

NO!!!!

I'd argue against this, but it's just such a giant pile of fail I don't know where to start.

How about this; like hell am I handing Facebook access to every other account I own.

Did I mention... NO?

Re:If FB does become the SSO, at least do it right

[golden age villain]

Why the hell would you give a privately owned company, based in a single country, the right to hold Internet users' single login "license"? Why? Even with the all those features you require.

Microsoft already tried that

[StillNeedMoreCoffee]

Did't Microsoft already try this idea, but the other social networking sites have just left them in the dust. This is almost like Microsoft's VM's . When I heard of that I said, yeh we call that time sharing and we had it in the early 70's with Mini Computers. Now that micro processors grew into that power footprint, they re-discovered an old technology. History does repeat itself in a never ending spiral. One hopes not a death one.

Mark of the Beast! Mark of the Beast!

[Caerdwyn]

This would be a very bad thing, for so many reasons.

• One-stop shopping for identity thieves
• Ubiquitous Facebook tracking bugs associated with login objects which would more-or-less require that browsers accept third-party cookies. You thought Doubleclick was bad? Try putting them INSIDE your login sessions.
• Zuckerberg holds privacy in contempt. He's said so, many times.
• Facebook has repeated violated its own privacy policy, and will do so again. Your privacy is guaranteed to be broken with Facebook.
• Facebook has a poor security record. See previous reference to identity theft.
• Facebook has made it as difficult as possible to get out. Leaving Scientology is easier.
• Facebook, as a for-profit company,is incentivized to pimp out your profile to anyone, for any reason, as long as there's a dollar to be made. If their balance sheet starts to look bad, all principles (such few as they already have) will go out the window.

I created a FaceBook account just to prevent others from doing so with my name, with no intention of using it. I never posted a thing, never "friended" anyone, never engaged in any activity whatsoever. Yet all of a sudden when I visit unrelated sites, I'm being greeted by the Facebook account name in various banners, etc. through Facebook's tracking. Deleting the account was a nightmare. I've had to use AdBlock and other anti-spyware software to block *.facebook.com, and I'm sure that even that is insufficient. Facebook has a profile on me, and you just and simply cannot opt out.

In absolute seriousness. I'd sooner trust Ballmer or Ellison than Zuckerberg, and I'd rather not have to trust any of them.

Re:If FB does become the SSO, at least do it right

[rolfwind]

It won't become the internet's SSO, simply because it requires way too many companies to willingly put way too much power into the hands of a partner that probably does not have their interests at heart. Microsoft already tried a passport years back.

At best, it will become a secondary feature on some websites, but not a required one.

I don't even trust OpenID, much less Facebook. Plus, I'm not going to let a host of important accounts be compromised by a single sign in -- it would be fine for forums and the like, but not anything of even moderate importance.

Re:If FB does become the SSO, at least do it right

[mlts]

Personally, I'd never want one entity to have the keys to the kingdom. Not MS with Passport/.NET, not FB, not OpenID, nobody. I'd rather use passwords that can be memorized, a password list stored on my smartphone, or passwords stored in Firefox. I rather pack my own parachute than have not just my ID from FB connected with tons of sites, but possibly my password.

However, if people want a SSO, with their eggs in one basket, lets at least have the basket made from something stronger than crepe paper strips and a generic white glue.

This is already happening where sites depend on another for authentication. If you want Cydia to recognize you and allow you access to purchased apps, you have to authenticate from Google or FB. Someone hacks the account that the Cydia stuff depends on, they can lock a person out of hundreds of dollars of purchased items, or even possibly rack up significant charges if an Amazon login is tied in with that.

Ideally, if a website is constructed from scratch for others to use it as a SSO, it should have not just top notch security (goot luck with this, as most PHBs view security as having no ROI), as well as allow for multiple personas with no way that subscriber sites, either by ad cookies, Flash shared objects or other means can tie the personas together. If a site can't offer this, they at least need to be able to deal with multiple users from the same person.

Re:If FB does become the SSO, at least do it right

[Lando]

Especially considering that FB is one of the most unethical companies out there.

Facebook is ready to fall

[dkleinsc]

Seriously.

It's in the final stages of a social networking site: where the investors, including some big outside investment firms, try to "monetize" the user base by pulling out all the stops with ads, apps, and selling people's personal information. All that needs to happen is some plucky college kid making his own social networking site, just for his friends on campus, as a way to stay away from all the sillyness of Facebook, and Facebook will collapse within a couple of years. Just like MySpace did.

No thanks? Not forceful enough.

[Chas]

How about "My Ass!"

Or "What's dumbshit for "HELL FUCKING NO" you asshole?"

Or "What kinda goddamn drugs are YOU on?"

Seriously. What sort of intellectual cripple actually thinks (and I use the term forgivingly) using a known privacy offender and security whipping boy like Facebook as a single-sign-on?

Fuck Single Sign-On. It's single point of failure.

Problem with OpenID

[DragonWriter]

It's called OpenID, http://www.openid.net./ [www.openid.net] [www.openid.net] move along, nothing to see here.

The problem with OpenID is that, while lots of big sites will let you use your account with that site as an OpenID (acting as OpenID providers), fewer actually accept foreign OpenID for logon.

Everyone wants their accounts to be the web's single-sign-on, but almost no one big wants to accept sign-ons from elsewhere.

Re:If FB does become the SSO, at least do it right

[CasperIV]

It isn't even the privately owned part that concerns me the most, it's the consolidation of power. Many of the most corrupt organizations and corporations on earth are government entities, so government control wouldn't alleviate the issue either. Corruption happens as soon as person is involved and has the ability/power to abuse their position. The only way to minimize it's damage is to diversify authority, a single point of authentication is a single point of failure and abuse.

Re:If FB does become the SSO, at least do it right

[Maxo-Texas]

If multiple people use the same computer- it gets worse.

There is another level where it *requires* that you give it a unique phone mobile number and locks your account until you do. If you put in a number, it sends you a text with an unlocking code.

Fortunately, you can simply create a new account (but good bye farmville, citiville, etc. anything you spent time on to get progress) and point all your friends to your new account. the old account can still be seen but you can't log into it without giving your mobile phone number.

Facebook is so untrustworthy with my personal information and privacy that there is NO WAY IN HELL that I want it to be my SSO provider.

I don't even like the concept of SSO because if ANYONE breaks it, you would be massively screwed all over the place. i want a private signon at my bank, my medical pill companies, my pharmacy, my car company, etc.

Re:Simson is no expert

[PCM2]

Actually, it seems to me that Garfinkel is conflating identification with authentication, when the two are not the same thing.

As other people have mentioned in this very same thread, it can be very difficult to tell anything about someone based on their Facebook profile. The classic example (with any kind of online forum) is a man masquerading as a woman, to mess with people or for whatever reason. If you can do that -- if it's really easy to do that -- then what you have is not a form of identification. It is a form of authentication -- it gets you logged onto the forum, but it doesn't really say anything about who you really are.

A driver's license is a form of identification. The government makes you show up, in person, get your photo taken, maybe give them your thumbprint (that's two forms of biometrics, right there), maybe link the database with your Social Security number -- whatever the state has decided is necessary. It's a whole lot different than signing up for a Facebook profile.

Where Garfinkel is getting confused is that while you do use a driver's license as a form of authentication, that's a separate thing from how you use it as a form of identification. When you show your driver's license to the guy at the door of a bar, the guy doesn't care who you are so long as the license looks valid and it says you're over 21. He's counting on the fact that the government issued you the ID -- the trust component -- to establish that you're of legal drinking age; nothing more. When you're stopped by the police, on the other hand, you absolutely are using that license as a form of identification, because the police will radio it in to make sure you really are who you say you are, and to find out some other things about you, as well.

Facebook, as it exists today, has an opportunity to provide the authentication feature, but not the identification feature. As such, if your Facebook "ID" is revoked, it doesn't really matter. It's not like getting your passport taken away; you just lose the ability to do that form of authentication. Because nobody wants your use of their site to be governed by Facebook, every site will offer an alternative way to authenticate (username and password, or whatever). If SSO via Facebook seems to be convenient for people, they will offer that, too.