I published Why Federate? last week, arguing that apps should get out of the password business. Ouch! I got ferocious pushback in my comments, on Twitter, and on the accompanying G+ post. Take a minute and read a few. Clearly we need to have a conversation.
So nobody likes federation? · It’s not that bad. First, my readership is impossibly geeky, way out on the edge of all the curves. Second, there’s a big difference between talking to app builders and app users. Third, even given all that, I got twice as many +1’s as negative comments.
But I’m not going to pretend I wasn’t surprised; among other things, I hardly ever hear this flavor of response face-to-face.
The conversation · A few nay-sayers are in tinfoil-hat territory (“OOH EVIL COARPORATIONZ”) but I think most of the issues people raised are substantial. Having said that, I still think federated identity is a good idea.
So I’ll take up the issues one by one and give each the space it deserves. In the rest of this piece I try to summarize them, with two goals: First, this is going to be a series of follow-on pieces, and it’ll need a table of contents. Second, have I got all the big ones? Please comment or email or whatever if there’s something I’ve missed.
OK, here we go. [Note: I’m going to be quoting a few commenters; in most cases I’ve done some editing for style and punctuation and so on.]
“I’m not sure what’s happening” · Quoting from commenter Pedro Oblamar (not his real name): “When I see a ‘sign in with Facebook’, ‘Sign in with Google' button I never click on it, even if I have accounts with those sites. I am never sure what the implications of signing in through a third party are: will this website show up on my Facebook ‘profile’? Will my presence on this website link to my Facebook account?”
For a deep-dive on this, with really a lot of detail, see FC1: Who Learns What? Then there’s the whole notion of “social sign-in”, which produces strong emotional reactions; I’ve tried to cover that territory in FC9: Social Sign-in.
“I don’t like being tracked” · Commenter Chris Carter: “When you use a 3rd party IDP like that you are giving them information about the behavior of your users – which they are free to sell to anyone, even your competitors.” Commenter Martin is punchier: “FB and Google tracks the hell out of you.”
Well yeah, and the spooks track more, and real actual criminals try too. Check out FC3: Who’s Watching? which tries to cover the big picture of who’s tracking you, what they can see, and what you can do about it. There are things that worry me a whole lot more than commercial tracking, but it’s not insane to worry about.
“I don’t like you” · Some people just don’t like certain Big Internet Companies. Commenter Dewald Reynecke: “I don't trust Facebook/Google as far as I can throw them – I simply do not want to outsource my identity to an advertising company.”
Fair enough, and trust has to be earned. I think the question of who individual people (and IDPs, and RPs) ought to trust is tricky but tractable; FC8: On Trust proposes a couple of checklists to help think about these things.
I’m unconvinced that being in the ad business is an instant ticket to distrust, but people are going to make up their own minds about that.
“I don’t like spooks” · Commenter Gavin B: “Federate using FB, G+, Tw? Guess what, they all bow to the USA/NSA.” Commenter brejoc: “Right after Prism and Tempora this is a very bold statement.” Commenter Daniel Serodio: “The NSA has made your job much more difficult.”
Well, I don’t like them either. In FC3: Who’s Watching? there are lots of details about not just the spooks but everyone who’s watching you; what they can see, and so on.
One of the key points there is that, while big Internet companies are prime targets for snoopy public servants, we’re also pretty well lawyered-up, compared to the vast majority of sites and apps up there. So the trade-off isn’t simple.
“I like Persona” · Lots of people said that Mozilla Persona would be a better basis for federated identity than the OAuth2-based OpenID Connect.
Having taken the time to do a partial (but I’ll finish it) integration with Persona, I was left impressed, but with open issues percolating in my mind; see FC4: Persona Questions.
“I forget which provider” · Commenter Jashan: “Users tend to forget which of the gazillion available services they have registered at your site with. And then they're too lazy to try all the possibilities. And then they're gone.”
This one is tough; we can all agree that we want to minimize the cognitive load on anyone trying to get signed in to our software, but it’s not obvious how best to achieve this. Putting up an unstylish “NASCAR page” full of IDP badges may be less friendly than asking people to just remember their account details; but maybe not. Fortunately, work is in progress on some good alternatives; see FC6: Who Are You?
“I like password managers” · I mean something like KeePass or LastPass or 1Password. Commenter NH: “I use a password manager to auto generate random passwords and save them, which, while being a bit less handy, makes me feel better at least, knowing that there isn't one single site/password that, upon being compromised, gains you access to everything.” [Disclosure: I use 1Password myself.]
To which I say “Yes! Please start using a manager”. But there’s more to it than that; FC5: Manage Those Passwords! surveys the landscape. At the end of the day, I don’t think these things (good though they are) really weaken the case for Federation.
“You’re a big target for the bad guys” · From commenter Daniel: “What if Google/Facebook/etc. get hacked? Then the bad guy has all the login info for every site I used them to login to.”
For a deep dive on this issue (and the next one) see FC2: Single Point of Failure?
“You’re a single point of blockage” · Nik Clayton on G+: “And what happens when FB, G, or others decide to close the account you’re using... Now you've lost access to a lot more than your G+ feed.”
For a deep dive on this issue (and the previous one) see FC2: Single Point of Failure?
“I’m a user not an operator” · Gary Royal on G+: “Federated login has a clear benefit to the service provider (access to disaggregated user data, particularly that user’s social contacts), but only an ostensible benefit to end users (freedom from having to remember yet another password), so on that level it's purely a swindle...”
If Gary’s right, this conversation is a waste of time, because it’s just not reasonable to ask for something in exchange for nothing. FC7: Users vs Apps digs into these issues and tries to figure out what value is exchanged and who comes out ahead.
“I’m struggling with the API” · Commenter Michael Schwartz (of Gluu): “For federation to work, it needs to be easier for web developers. Asking developers to implement OpenID Connect is not the answer for everyone, although with better high level libraries, this will hopefully become easier.”
Does that about cover it? · Write in with any I missed.