After my last post, a reasonable question is whether we in the industry have been goofing off on the job. After all, how could it be that someone got their account broken into? Everyone knows that passwords are a weak form of authentication. Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards. So why are the rules different for Facebook?
They would say, I’m sure, that they do not hold the keys to your financial data. Only that may not be true. Have you entered credit card details into Facebook? Then in that case maybe they do hold the keys to your financial data. Even if you haven’t entered any financial data into Facebook? Are you using the same password for Facebook that you are for your financial institution? Many people are, and that is the problem.
Passwords have become, for want of a better term, an attractive nuisance. It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket. Yes, the problem is getting worse, not better. My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”. What a lovely enhancement. Right up there with enhancing the keyboard I am typing on to give me electric shocks.
Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal). Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID. (The better part is that no one can simply break into one account and gain access to all of these other sites. The worse part is that if you have some other OpenID, you can’t use it with these sites.)
OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user. This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide. Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).
SAML and Higgins to the rescue? OAUTH? Blech.