All your authentication are belong to us

In my childhood, many of the bad guys in TV shows were corporate overlords. Tweed jackets and dark turtlenecks were the apparel of choice. They were ridiculously unctuous, spouting obliquely phrased threats like, "This Mannix fellow has become...Inconvenient." 

These villains were the creation of TV studios trying to capitalize on the post-60s, post-Watergate hangover, during which corporate executives were about as trusted as...Well, about as trusted as they are today. Corporate goons may be even less popular today than they were a few decades ago, after wrecking the global economy, plundering their own companies, and cackling gleefully as they collected their obscenely large bonuses. Heck, Steve Jobs even has a penchant for turtlenecks.

 Distrust of corporations is having a profound impact on an important issue in the technology industry, centralized authentication and identity management for the cloud. The more applications that go into the cloud, the greater the demand for a centralized mechanism for managing authentication across these systems. Most of the would-be guardians of authentication for the cloud are corporations like Google, Facebook, and Microsoft, which poses a dilemma for these companies and users alike.

The big weapon that vendors have in this competition is adoption. Facebook claims that 60 million users per month use the Facebook Connect API as an authentication service for some other application. Meanwhile, the well-intentioned OpenID project, still hasn't cracked the one-half of 1% barrier for adoption among websites. 

What accounts for Facebook Connect's success? The fact that it's based on Facebook. People are already using the standard Facebook application to connect with friends, post status updates, and maintain their profiles. Facebook adoption sells Facebook Connect. OpenID has no comparable starting point. Instead, OpenID looks like yet another account that you need to create, yet another login that you need to remember.

Meanwhile, Facebook continues to proliferate across platforms. From your iPhone to your XBox, Facebook is there, easy to set up, easy to use. Other social applications, such as Twitter and Google are equally ubiquitous, so guess what? They're interested, too, in this authentication business. Google, for example, believes that Gmail and Google Apps provide a strong incentive for other sites to use their authentication service.

As impressive as the momentum behind these authentication services may be, the brick wall of distrust lies ahead. The companies that we've been discussing have all done something recently to increase anxieties about questions of access. Facebook keeps diddling with its privacy settings, sometimes to implement its own ideas of how people should use their services, at other times dealing with user complaints about these notions. While a single product group at Google may have been responsible for the Buzz goof, the backlash is directed at Google as a whole. Apple's decision to pull titillating content from the application store invites speculation about what other kinds of censorship it might exercise in the future. Microsoft's traditional problems getting people to trust them seem almost quaint.

Earlier this week, I argued that PM teams need a bit more security and risk expertise than they may have today. In companies that provide cloud authentication services, or use them in their applications, PMs need to deal with a complementary requirement that goes beyond purely technical details: trust. 

[Cross-posted at The Heretech.]



re: All your authentication are belong to us


There's one important difference between OpenID and FaceBook Connect, it is that OpenID is not a centralized system and can slowly grow in adoption among users through different implementations. We may even see one day the "villains of your story" come boosting OpenID's adoption: It is clear to me that corporations should all implement OpenID servers to let their employees connect on external sites through their corporate OpenID servers. This simplifies employees' lives who then have only one password to remember, it assures companies that their employees are not spreading their internal passwords on external sites, it provides both companies and employees a system safe and centralized from "their" point of view.

re: All your authentication are belong to us

Agree with fbaud's point. Most people who care about information security will be much more comfortable using a decentralized approach like OpenID. I would also add that FacebookConnect's growth can be tied to another issue, beyond the fact that millions of people are on Facebook already. While people are willing to use FacebookConnect to authenticate for trivial endeavors like commenting or posting to other social networks, I'm certain that most Facebook users would think twice about using it to authenticate against any business-critical or confidential financial/personal system such as their health records. Are there any data that rank the types of apps/sites Facebook users are connecting to through FacebookConnect?

re: All your authentication are belong to us

"Most people who care about information security will be much more comfortable using a decentralized approach like OpenID."

This is totally true. But most people don't care about information security. Or even if they profess to, don't care enough to change behavior over it. Even a seemingly tiny obstacle, like a one-time 30-second process to create an OpenID, is a huge barrier to adoption.

re: All your authentication are belong to us

One thing to keep in mind is that using Facebook Connect provides the target site with a lot more than simply authentication - it provides them with all of the information that's available through the Facebook API - your friends, your fan memberships, etc. Though most people don't know this, it fits in well with the FB CEO's public statements about privacy, which should concern anyone using this as an identity service.