Home > Identity Management > The Inherent Flaw in Third-Party Authentication

The Inherent Flaw in Third-Party Authentication

For my current project, I’ve been researching Facebook Connect.¬† As I’ve been digging into it, I’ve been thinking about the huge vulnerability in using third-party authentication methods such as OpenId, Live ID, and Facebook Connect.¬† The problem, which people have highlighted in the past, is that you are now reliant upon another company to be available for your users to log in to your site.

The reality of this situation has been brought home over the past week for me.¬† I‚Äôm going on day 6 of not having access to Facebook.¬† The login page just tells me that my account is ‚Äútemporarily unavailable due to site maintenance‚ÄĚ and it should be back ‚Äúwithin a few hours.‚Ä̬† Easy means of support is pretty much unavailable, which is sort of understandable for a site that boasts more than 300 million active users (and growing).¬† Unfortunately, there‚Äôs nobody to contact for any sort of problem, and all I can find is a few blogs where other people are having the same problem.

Just a few more hours...

Just a few more hours...

So imagine the hypothetical case that some of your users had registered for your site using Facebook Connect, they normally come in and simply login using their Facebook ID on the Facebook login page, and over time they’ve entered a wealth of information under this account.¬† Now all of a sudden, they can’t get in to your site since Facebook is “undergoing maintenance” for days on end.¬† With Facebook being unavailable for support, they’ll more than likely turn to your company for answers.¬† Unfortunately, Facebook, as they say, has no skin in the game so there is no motivation for them to fix the problem.

Just a few things to think about when relying on a third party for authenticating your users.  It adds convenience when all is well, but it could mean a lot of unhappy users if something breaks.

Categories: Identity Management
  1. October 21st, 2009 at 20:41 | #1

    Would the situation be any different if your payroll or HR provider’s IT infrastructure had a hiccup? This problem is commonplace when outsourcing services to others. To protect yourself and your customers, you put redundant systems in place, get SLAs, and take your issues to the courts if contracts are breached. I know these aren’t ideals to be sought after, but throwing out the baby isn’t either. Outsourcing is a key optimization for businesses and IaaS, PaaS, and SaaS (such as authentication) is an important way to lower a business’s TCO and TTM.

  2. Garrett
    October 22nd, 2009 at 13:43 | #2

    @Travis Spencer

    I agree that you will always have to deal with potential down time in systems, whether for maintenance purposes, bugs, or some sort of data corruption. A wise company will always make sure they mitigate their risks by putting in place SLAs and dealing with a reliable service provider. What’s troubling is that when dealing with big web sites such as Facebook and Google, companies don’t have the option to enter into any sort of contractual agreement. Either Facebook Connect is working or it’s not, and unfortunately more and more websites are offering the option to login with your Facebook id, which (as I found out) is not entirely reliable.

    But I do agree that outsourcing provides several benefits and service-based applications are certainly the way things are moving. Companies just need to recognize some of the inherent risks when making these decisions.

  3. November 26th, 2009 at 11:08 | #3

    You have the power to change this. If you and thousands of others boycott Facebook and Google (or at least their federated authentication services), perhaps they will begin providing users and businesses some form of SLA. If not, I imagine that alternatives will enter the market that do.

  1. No trackbacks yet.