The Inherent Flaw in Third-Party Authentication
For my current project, I’ve been researching Facebook Connect.¬† As I’ve been digging into it, I’ve been thinking about the huge vulnerability in using third-party authentication methods such as OpenId, Live ID, and Facebook Connect.¬† The problem, which people have highlighted in the past, is that you are now reliant upon another company to be available for your users to log in to your site.
The reality of this situation has been brought home over the past week for me.¬† I‚Äôm going on day 6 of not having access to Facebook.¬† The login page just tells me that my account is ‚Äútemporarily unavailable due to site maintenance‚ÄĚ and it should be back ‚Äúwithin a few hours.‚ÄĚ¬† Easy means of support is pretty much unavailable, which is sort of understandable for a site that boasts more than 300 million active users (and growing).¬† Unfortunately, there‚Äôs nobody to contact for any sort of problem, and all I can find is a few blogs where other people are having the same problem.
So imagine the hypothetical case that some of your users had registered for your site using Facebook Connect, they normally come in and simply login using their Facebook ID on the Facebook login page, and over time they’ve entered a wealth of information under this account.¬† Now all of a sudden, they can’t get in to your site since Facebook is “undergoing maintenance” for days on end.¬† With Facebook being unavailable for support, they’ll more than likely turn to your company for answers.¬† Unfortunately, Facebook, as they say, has no skin in the game so there is no motivation for them to fix the problem.
Just a few things to think about when relying on a third party for authenticating your users.¬† It adds convenience when all is well, but it could mean a lot of unhappy users if something breaks.