Tuesday, June 22, 2010

The third-party authentication dilemma: does Facebook pwn my site?

I've argued for some time that it is crazy for most websites to have their own authentication (username/password) system these days.
  • We the users have no patience for yet another registration process, validation email flow, and password to remember

  • Security is too easy to get wrong, unless you truly have security professionals on staff

  • Designing sites with a registration process, issuing credentials etc is a legacy holdover from the days when we had no choice. OpenID, OAuth (in particular) have long since changed the game.

And the shift is well underway. More sites these days are offering the ability to authenticate using twitter, facebook, google or other credentials. Janrain chief executive Brian Kissel has said that
..publishers are jumping on-board as they realize it’s valuable to know who their readers are and that it’s much easier to convince them to sign in with an existing account than to create a new one

Perhaps like many sites, you integrated with Facebook Connect to let users sign into your site with their Facebook account. Which all sounds great, until you wake up one day, and are caught you off guard by two bits of news:

Jason Calacanis was one of the high-profile Facebook quitters who got "caught" sneaking back in. He explained the reason on a This Week in Startups .. to (temporarily) regain control over all the third-party applications he'd forgotten were using his Facebook account for authentication.

Suddenly, you are feeling the downside of depending on a third-party authentication service:
  • The amount of engineering required to "keep up" with the evolving identity management space is unpredicatable since someone else is calling the shots

  • Your site and brand is totally exposed to a user backlash over something that you have have no control over and has nothing to do with you


So is there better way?

If your site is directly linked to the third-party service (e.g. a tool for twitter, or a Facebook application) then the answer is no, and the question doesn't even make sense.

But for most cases, we are basically outsourcing the identity management and authentication, and want to avoid getting caught down a blind alley.

Pure OpenID is one approach: it is not controlled by any single vendor, and there are capabilities such as delegation which allow users to pick and choose their provider. The unfortunate fact is that OpenID is far from mainstream, and will likely remain a mystery for most users (even if it is hard at work under the covers of their Google or Yahoo! sign in).

Personally, I think the best approach is to disentangle ourselves from directly dealing with identity providers. By outsourcing the identity management and authentication process to an intermediary that aggregates the services of many identity providers we get a nice compromise:

  • Someone else to take on the burden of securing the system and keeping up to date with the improvements made by the various identity providers

  • We get to offer the convenience to our users of signing in with a wide range of identity providers

  • And I am making my site directly dependent on only one service provider, and one that specializes in identity not other business interests which may potentially bring us into conflict

The best solution I have found so far is Janrain Engage (formerly RPX). I've used this on a number of sites (e.g. CloudJetty - my directory of cloud/SaaS applications), and released a gem (authlogic_rpx) for easily using the service with Ruby on Rails.


If you are concerned about your website getting locked in to a particular authentication provider (whether it is Facebook, twitter or anything else) then I would certainly recommend you check out Janrain Engage.

Now I realise this may come across as an unabashed plug for Janrain, but the truth of the matter is that (a) it works, and (b) I haven't really been able to find any fully baked alternatives. If you do know of other similar services or ways of approaching this problem I'd be really interested to hear about them.

Blogarhythm for this post: IDentity - 玉置成実 Tamaki Nami
The light will shine on me allowing me to make progress and start on the road to my identity

2 comments:

Ragavan S said...

Hi there,

Interesting post that does a good job of addressing a key developer issue.

We've been thinking about this problem a bit here at Mozilla with our Account Manager project.
We'd love to get your feedback on Account Manager and the spec we are proposing for web developers to help support this feature.

Cheers,
Ragavan

Paul said...

Thanks. Ragavan I will definitely check this out. The possibility of browser or OS integrated authentication is certainly an interesting angle (I am thinking also of the plans around Chrome OS).