When you click on the dark-blue button to sign in with Facebook (or bright red for Google) what does Facebook (or Google) learn about you? What does the app you’re signing into learn about you? Uncertainty makes people nervous about federated login.
[This is part of the Federation Conversation series.]
And the answer is... · “It depends.”
Sorry. It just isn’t simple. But the single most important thing is simple, and goes like this:
You shouldn’t have to guess! · Since the answer is kind of complicated and depends on a whole bunch of factors, it’s entirely unreasonable for either the app you’re signing into (let’s call it the “RP”, identigeek jargon for “Relying Party”) or the Identity Provider (“IDP”) to expect you to know which information flows where.
But that’s not enough. When you click on a “Sign in with” button, it should tell you right then and there what’s going to happen.
What the IDP learns · Using most federated-identity protocols (OpenID 2, SAML, OpenID Connect, anything else OAuth 2-based), the IDP learns that the sign-in happened: That such-and-such a user logged into such-and-such an app. One of the claims of the Mozilla Persona designers is they don’t necessarily let the IDP know which apps people are signing into. I haven’t done a Persona deep-dive yet, but I’ll report back after I do.
But just because the IDP knows where and when you’ve logged in, that doesn’t mean it retains the information or makes any particular use of it. Check privacy policies!
Now, I’m pretty paranoid (and more so every day I’m in this job) but this one doesn’t worry me much, here’s why:
First, just about every app I sign up for sends me a confirmation email, so my email provider (which is usually an IDP) already knows about my accounts.
Also, given the astonishing number of tracking widgets all over the web, and the fact that certain government agencies are capturing basically all Internet traffic, it’s like this: Where your browser goes isn’t very secret. So someone tracking the (fairly rare) occasions when I actually go through the sign-in process just doesn’t loom that large.
But I’m not saying that it’s wrong to worry about this; if it bothers you, it bothers you. And I do believe that once anyone’s connected to anywhere, the traffic should be private by default.
Anyhow, the fact of sign-in is all that’s captured. The IDP doesn’t learn anything new aside from that; in fact, the information flow is all the other way, from IDP to RP. That is to say, just because you signed in somewhere with Facebook doesn’t mean Facebook gets to find out about what you do once you’re there. (Unless the app is using other Facebook APIs... did I mention that this is complicated?)
What the RP learns · It’s all over the map; when you sign in to some RP with some IDP, what the RP learns depends on what protocol you used, how much information you ask for, and what info the IDP is willing to provide. Since there’s no way for you to tell, it is critically important that you be informed what’s going on, at the time it’s going on.
Let’s explore this by example, with the Google IDP since I work there and
know it best. The absolute minimum an RP can ask for
is just confirmation that the you’re logged into the browser. (For OpenID
Connect experts, I’m talking
scope=openid.) When an RP asks for
that, you see this:
Assuming you say “Yes”, Google will send the RP a success signal, plus, since you want to know who you’re talking to, a unique User ID value, which can be used to look up your “Public profile” at Google. To check out yours, go visit profiles.google.com/me, copy the URL you end up at, and visit it again in incognito mode or from another browser where you’re not signed in.
This approval page could be improved, I think. First, I know it’s obvious that you’re being logged in, that’s why you came here, but I still think it should say that yeah, it’s reporting your sign-in status. Also, the phrase “know who you are” should be linked to your public profile.
So I launched an internal conversation about this, and we’ll work on it. See, blogging improves the Internet.
What’s wrong with this picture? · That interchange was unusual, because the RP didn’t learn your email address. Sometimes you hear people saying that we’re past email, it’s 20th-century stuff, kids don’t use it. But most apps’ operators really want to know people’s emails. Among other reasons, if all other login mechanisms break down, they can always email you a “reset my password” link.
So a typical RP will also usually ask for the email (OpenID Connect experts:
scope=openid email). Then you see a screen like this:
Which I think is pretty decent. The RP can also ask for a basic
information package (
scope=openid email profile) and you’ll see
The “basic information” includes things like your name, your G+ profile if you have one, a picture, and your gender; but only if you’ve provided them to Google. By the way, those little i-in-a-grey-circle thingies link to longer explanations, which are pretty good.
This feels social · While that is a useful little package of information, many RPs want more. They want to enrich your experience and a really good way to do it is to get social: find out who your friends are and what you care about.
Staying in the Google context, this gets us into the territory of Google+ Sign-In, the flagship offering. It comes with loads of library support for every programming platform, useful extras like prompt-to-download-my-mobile-app, and really slick APIs.
If the RP uses it, here’s what you see:
Obviously, there’s more going on here. On the one hand, the RP can get more information; but on the other, you have very precise control. If you want, you can keep it from finding out who’s in your circles, and also from being visible in your stream.
Other than Google ·
I don’t know the numbers, but I get the impression, just looking around,
that signing in with Facebook is pretty popular. Here’s their approval screen
And Microsoft’s, for
scope=wl.signin wl.basic wl.emails:
Both of them are reasonably clear; but I think the Microsoft version is excellent.
And let’s not leave Twitter out:
Looks perfectly sensible to me, and lots of apps use it. But note that Twitter does not provide an email address, which is going to limit the range of things an RP can do.
The Real Issue · It’s not technology, it’s trust. Does the person looking at the approval screen understand what it’s saying, and (most important) does he or she believe the IDP will do what he or she thinks they’re saying they’ll do?
And it’s also very situational. I’m probably totally OK with social login of some flavor for a music-sharing app, but am going to be very nervous about the slightest social whiff for medical or financial apps.
The interesting question (and we don’t have good data on this yet) is: Once we have a bigger IDP ecosystem, so there are more ways to log in, and users start seeing lots of different approval screens, what happens? I’d seriously expect the bloggers and journos to start writing positive/negative reviews of IDP performance and features.
Question: Will people punish apps that they think are asking for too much information, by walking away?
How people respond to choice is the crucial point; more important than all the technology issues put together. We have little useful data to base predictions on, so I’m not going to make any.
But I’m pretty sure that choice is good.