[mkjones]

So I like a lot of the analysis in this article, but couldn't help taking issue with some of it. Here are some thoughts that came to mind. Worth noting that I work on security / spam fighting at Facebook, but these are solely my personal opinions.

"Social login buttons put security in someone else’s hands" You're damn right they do! I argue that in 99.9% of cases that's a great thing, for 3 reasons:

1. Facebook invests significant resources in both keeping bad guys out (we have been able to dramatically reduce large-scale phishing with a number of updates to our login security systems) and ensuring everyone else can get into their accounts easily. I can only speak for us, but I assume Twitter spends a lot of time on this as well. I imagine it'd be tough for a startup to keep up with the 10-20 people we have working on this problem at any given time.

2. It's incredibly difficult to build a password system that is both easy to use and secure. There's an almost endless ever changing list to make sure you're hashing and salting properly, don't have SQL injection flaws, implement robust rate-limiting without allowing DoS, etc. We've all seen many people screw it up in recent years. One of the largest benefits of Facebook Connect for startups is the ability to leverage our investment in these systems, without having to invest the significant time we have spent iterating on them.

3. We've spent a lot of time working on every aspect of login, so that startups don't have to. Your job is to build whatever technology differentiates you from your competitors, and make it worlds better than theirs. Any time you spend pfutzing with password hashing, building a better password recovery flow, or arguing about how to fail when people type in the wrong password is time you could better spend making a truly wonderful product. Unless you're trying to build a startup that helps people login, any time spent on this is better spent elsewhere.

[tjoff]

1. True, but irrelevant.

2. It is very easy. SQL injection etc. isn't something you magically get rid of because you use a facebook login...

The reason so many get this wrong is because they don't even try. And if you don't even try you won't get any other aspect of security right and outsourcing your logins isn't going to solve any of that. If you have to outsource this to facebook, the moment you get big you will, guaranteed, have issues with DoS, rate-limiting, SQL injection etc. for everything but the login. Which honestly isn't much of an advantage (sure, leaking your password database is bad press - but if you have the slightest bit of salting it might even turn out to be somewhat good - after all, your little startup apparently had way better security than sony and 99% of everyone elses leaked databases). If salted passwords is the only thing valuable in your database you are in serious trouble anyway.

3. Since building your own login is so easy and hardly even a fraction of anything worth doing with your startup, outsourcing it completely is just ludicrous.

If you can't even salt your passwords right maybe this web-thing isn't your thing after all, or maybe you should outsource everything...

Point is that exclusively relying on facebook (or whatever) login is that it is downright fraudulent and also signals that you are lazy and don't care the slightest about your users. It is that easy, you can't get away from that.

Offer a facebook login alongside your own solution (if you think it's worth the hassle implementing facebook connect/whatever), even if 99% of the users choose facebook the fact that there is an alternative is guaranteed to make them feel better about using facebook in the first place. If you don't think that is worth it, your site most likely isn't worth even trying either...

As from the user point of view, if you really think it is worth it (probably isn't): Just create fake facebook account(s).

[mkjones]

1. What's irrelevant about having robust and constantly-evolving phishing detection, and optimized flows for getting people back into their accounts? Both of these are important in a high-quality login system IMO.

2. You're right that a lot of folks fail to even try for security, but I disagree that outsourcing password management to facebook won't help them. If they get popped and have no passwords, all that leaks is the information specific to their site. If they get popped and have passwords, then in addition all those users' passwords (which they likely share with other sites) are now in the open. The damage has spread beyond the one clowny site and screwed over those users' experiences on wherever they shared passwords. We actually invest a fair amount of time in automated systems that look for leaked password dumps from such sites and help clean up users whose leaked passwords match their Facebook ones.

Also, even in cases where people did things more-right, it's still incredibly damaging. Look at LinkedIn (who was hashed but not salted) or Gawker (who was hashed and salted, albeit poorly).

3. I guess I didn't convey this very well, but my point was that building your own login system is difficult. Getting everything right to ensure it's secure is actually pretty difficult, and requires constant attention if you're under any kind of targeted attack.

As for making fake Facebook accounts... please don't do that. You'll just open yourself to a bunch of headaches, as we're pretty aggressive with removing fake accounts from the site.

[josephlord]

Facebook has big target problems and fortunately has big target defence resources. That doesn't make it right for everybody.

1. If you are small people won't be using your brand as the bait in anything other than spear-phishing when your phishing detection won't work. Emails and password resets are pretty easy. If you need it twilio makes SMS resets pretty easy too but in most cases that is probably overkill.

2. There probably is some benefit here.

3. There are fairly simple and clear best practices that are reasonable for most sites. Most people aren't under targeted attack although they should put a reasonable amount of effort into a reasonable defensive system.

Facebook integration (or other 3rd party login) also brings additional risks as they become a potential attack vector. This may seem unlikely unless you consider the possibility of staff, contractors or app developers finding a way in.

[bobwaycott]

> We've spent a lot of time working on every aspect of login, so that startups don't have to.

Really? I find this claim to be suspect and very disingenuous. The reason FB spent a lot of time on login was so startups don't have to? It wasn't, say, so your users would be secure ... and then a later realization hit that you could subsume startups into the FB universe by letting them use it?

If FB wanted to solve the login problem so startups don't have to, why not offer a standalone, drop-in login solution that doesn't require devs to hook their apps into FB, to have dev accounts, to get user info from FB, to display the Facebook brand, etc. etc. etc.

> Your job is to build whatever technology differentiates you from your competitors, and make it worlds better than theirs.

Probably best to think that, just like Facebook, every startup's "job" is to take care of their users, protect their information, and deliver a quality experience. And each startup is the only one capable of determining the value of doing it themselves.

> Any time you spend pfutzing with password hashing, building a better password recovery flow, or arguing about how to fail when people type in the wrong password is time you could better spend making a truly wonderful product. Unless you're trying to build a startup that helps people login, any time spent on this is better spent elsewhere.

You really do like taking this just that much too far, don't you? I consider the way startups and applications handle authentication, signup, etc. to be an integral part of how I determine quality of the product. And even though I have a Facebook account, whenever someone makes me go through Facebook, it fucking destroys any semblance of a nice user workflow.

When a startup spends time helping me signup and login to their service, I notice. And when they don't, I typically hear in the back of my head, "Fuck it, just slap Facebook on it. Problem solved."

[mkjones]

Shoot - sorry if I came across as disingenuous! You're right that a lot of the reason we spend time on login is because we want our users' accounts to be secure - but a big advantage of our API is that we extend all that work to third parties. I think it is actually a pretty good drop-in login solution, but you obviously have to have some setup associated with it (the user needs to understand to whom they're disclosing their identity, etc). You don't need to ask for any permissions or query any data (though of course I think you can make things a lot more compelling if you do in a lot of cases).

Agreed that companies should determine how to deliver a great experience. In my opinion, a two-click login with something like FB is a much better experience than registering with another password and confirming your email address, and worrying about what the site's security is like (how do you evaluate this?). It sounds like we'll just have to agree to disagree here.

[steelaz]

Most websites that are adding social login buttons also keep their own registration/authentication setup. I think by adding social login buttons you also increase attack surface on your website, no matter how good third party security is.

[mkjones]

My point is that you shouldn't bother spending any time rolling your own registration / authentication step.

Do you think that using 3rd party auth in lieu of your own auth decreases security?

[papsosouid]

Right, instead we should cut our potential userbase in half to promote facebook. That's very realistic.