Whether or not it's fair, most people will blame Facebook in a situations like this. Unless they can get security issues under control, they're in for an increasingly rough time ... one more reason I think they're waaaay overvalued at $70B.
there are many things that facebook can and should improve (like enabling https all the time, not as opt in, and not disabling it when you use apps that don't use ssl/tls). that said I'd love if 10% of the web services I use would take security as serious as fb does.
I liked the article, but I'm curious about the title choice. Why prepend it with 'OM:'? Because the domain is shown on the right, do I really need two sources of authenticity?
Anyone with some IT background should be familiar with a single point of failure concept. This is why I personally don't use FB Connect, OpenID, etc. If anything goes wrong with your single global login process, you're in trouble. It doesn't matter whether it was your fault or your provider's.
When I create web products, I don't hesitate that much. If people want it and if it can increase signup conversion, then let's roll with it. But I don't use that as an user. A good password manager is more than enough for quick and convenient logging in.
I'm not sure FB is a single point of failure - Twitter signin seems to be nearly as prevalent. In fact, you could probably do something about identity by leveraging these separate identities into one, so that if you lose one (like Om) you wouldn't be separated from your online identity. (Not to mention you could reclaim the failed point based on your other identity components.)
That's vague, but seriously - a "single" point of failure is a business opportunity waiting to happen.
I also don't think that facebook connect poses a single point of failure. If it becomes one then it is not the fault of the identity provider but the fault of the relying party, so if he only uses services that only offer auth via fb, or he did not connect his accounts with other identity providers then he should not complain right?
Nothing poses a single point of failure unless one uses it that way.
If you add other identity providers then sure, you're less vulnerable - just like if you replicate your database and set up failover. There are many ways to avoid certain SPOFs but possibility to fix doesn't make a SPOF stop being a SPOF. It's all about how you use them.
If you use FB Connect as the only way to sign into some of your accounts then FB Connect becomes a single point of failure for these accounts, period. That's what happened to Om. There might be only 30% of his accounts affected, but for these 30% accounts, FB Connect was a SPOF.
For me it's easier to use old-fashioned login/email+password signup with a password manager like 1Password than signing up with multiple online identities to every new account (who does that anyway and many websites allow you connect only one identity). Classic email+password has a failover by default in its design - if I forget my password I can reset it by email (I need both to forget password and have broken email at the same time to don't be able to login).
Yep. For this exact reason. I trust facebook about as much as I trust any other massive, sinister advertising company.
I am already subject to lockin purely because of the social networking aspect - all my friends use it. Why would I want to lock myself in further voluntarily?
And before anyone points out that google is also a massive sinister advertising company, they have shown their commitment to data portability in a way that I presently find satisfactory. FB go to lengths to prevent data portability.
I've started a dating site, and we're launching solely with FB Connect support, with no plans to support alternatives in the near future. Why? Because the data we get from the social graph makes our product better in many ways without the user having to duplicate efforts. We get their interests, their friends interests, their checkins, etc without the user having to put any of that explicitly into our site.
This allows us to give a vastly better experience to our userbase, while losing effectively nothing -- our demo is non-techy 21-35 singles, meaning 95%+ Facebook users.
Edit: To clarify, I mean that no less than 95% of our demographic is already using Facebook.
I assume you would succeed if your target audience is willing to accept that you will be filtering information that they've given to someone else for reasons other than dating (at least it's better than the "dating site" that scraped Facebook for prospects).
It's possible. I would guess that people would be willing to take this "deal" if they believed that they'd be guaranteed that others also have to take your deal. However, aside from a person's desire to present themselves as they choose rather than as you choose, the problem might that some would create Facebook accounts only for dating and thus control their presentation better than the average person who wouldn't bother. But perhaps your users wouldn't consider such deviousness (and don't tell me you'd filter those people out - the account themselves could perfectly real, just accounts only created for a purpose).
Personally, I wouldn't accept this since I want to control how I'm represented. I don't fully trust Facebook but I might trust them with something things. I don't trust you but I might trust you with some other things. Giving you and those like-you my FB information means that I'd have to suddenly start putting unlimited in both FB and you. Maybe some people are OK with unlimited trust and "openness". I doubt there will be increase in such people over time - I could be wrong.
I love OM, but if he has no web without FB, than he has some serious issues. Maybe it is really time to realize there is a life away from our computers.
Side note: I am glad HN does not have a FB login rule.
From the user perspective, I don't use Facebook Connect because I don't think a third party site should be given access to any of my Facebook information, nor should Facebook know what other sites I visit.
I'd much rather they all stay ignorant of one another.
I neither have a Facebook account nor do I use Google search for more than hard-to-query searches.
I don't need Google Mail, and I do blog elsewhere than my (rottingly neglected) Blogspot account.
I appreciate that the author has tied himself to those services, and how problematic that becomes when a centralized service goes down for a user.
That is - partly - why I do not do that, preferring the somewhat rougher road of managing my own usernames and passwords, ensuring that my services are split across multiple providers and are not subject to the whims, failures, and vagaries of a single company.
23 comments
[ 6.4 ms ] story [ 178 ms ] threadWhen I create web products, I don't hesitate that much. If people want it and if it can increase signup conversion, then let's roll with it. But I don't use that as an user. A good password manager is more than enough for quick and convenient logging in.
That's vague, but seriously - a "single" point of failure is a business opportunity waiting to happen.
If you add other identity providers then sure, you're less vulnerable - just like if you replicate your database and set up failover. There are many ways to avoid certain SPOFs but possibility to fix doesn't make a SPOF stop being a SPOF. It's all about how you use them.
If you use FB Connect as the only way to sign into some of your accounts then FB Connect becomes a single point of failure for these accounts, period. That's what happened to Om. There might be only 30% of his accounts affected, but for these 30% accounts, FB Connect was a SPOF.
For me it's easier to use old-fashioned login/email+password signup with a password manager like 1Password than signing up with multiple online identities to every new account (who does that anyway and many websites allow you connect only one identity). Classic email+password has a failover by default in its design - if I forget my password I can reset it by email (I need both to forget password and have broken email at the same time to don't be able to login).
And the simple answer is don't use it for anything...
I think only junkies for the latest and greatest actually do...
I am already subject to lockin purely because of the social networking aspect - all my friends use it. Why would I want to lock myself in further voluntarily?
And before anyone points out that google is also a massive sinister advertising company, they have shown their commitment to data portability in a way that I presently find satisfactory. FB go to lengths to prevent data portability.
I myself was surprised when I found it.
I can't imagine what service that require FB Connect are thinking...
This allows us to give a vastly better experience to our userbase, while losing effectively nothing -- our demo is non-techy 21-35 singles, meaning 95%+ Facebook users.
Edit: To clarify, I mean that no less than 95% of our demographic is already using Facebook.
It's possible. I would guess that people would be willing to take this "deal" if they believed that they'd be guaranteed that others also have to take your deal. However, aside from a person's desire to present themselves as they choose rather than as you choose, the problem might that some would create Facebook accounts only for dating and thus control their presentation better than the average person who wouldn't bother. But perhaps your users wouldn't consider such deviousness (and don't tell me you'd filter those people out - the account themselves could perfectly real, just accounts only created for a purpose).
Personally, I wouldn't accept this since I want to control how I'm represented. I don't fully trust Facebook but I might trust them with something things. I don't trust you but I might trust you with some other things. Giving you and those like-you my FB information means that I'd have to suddenly start putting unlimited in both FB and you. Maybe some people are OK with unlimited trust and "openness". I doubt there will be increase in such people over time - I could be wrong.
Side note: I am glad HN does not have a FB login rule.
I'd much rather they all stay ignorant of one another.
I don't need Google Mail, and I do blog elsewhere than my (rottingly neglected) Blogspot account.
I appreciate that the author has tied himself to those services, and how problematic that becomes when a centralized service goes down for a user.
That is - partly - why I do not do that, preferring the somewhat rougher road of managing my own usernames and passwords, ensuring that my services are split across multiple providers and are not subject to the whims, failures, and vagaries of a single company.