Although it’s not apparent to many, Facebook is in the process of transforming itself from the world’s most popular social-media website into a critical part of the Internet’s identity infrastructure. If it succeeds, Facebook and Facebook accounts will become an even bigger target for hackers.
As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.
Facebook introduced Connect back in July 2008, offering third-party websites tools to coordinate with the user information that Facebook holds, including logins. Thus websites had the option of allowing Facebook users to identify themselves with their Facebook identities.
So, for instance, the Web statistics vendor Alexa gives new users the choice of creating an account by entering a username and a password or by simply clicking the “Connect with Facebook” button. Well-known websites that also use Connect include the Internet Movie Database, Ask.com, and ESPN. Others will almost certainly jump on the bandwagon in 2011.
Facebook’s identity system might very well supply something that VeriSign, Microsoft, Yahoo, and Google have all struggled to offer: a single “driver’s license” for the Internet. (This leaves aside the question of whether it’s a good thing for one company to hold such a position of power.)
A unique combination of factors makes Facebook well suited to being the repository for people’s identities on the Internet. Unlike many popular websites, it requires users to register and log in. And Facebook’s terms of service require that “users provide their real names and information”—indeed, Facebook has terminated accounts that were created with seemingly fake names or for fictional characters. Since Facebook users invest their accounts with a tremendous amount of durable personal content—including photographs, contact information, and connections to their social network—they are likely to keep a long-term relationship with the site.
This persistence of real identity puts Facebook in a position to solve one of the most pressing problems on the Internet today—the proliferation of user names and passwords.
Contrary to today’s practice, there is no reason for most websites to force their users to create usernames and passwords. Most websites don’t need or even want or need to manage the identities of their users—they simply want a way to reliably identify their users over time. Media websites, for instance, want to be able to attribute comments and limit spam. Personal-finance websites want to give users a way to monitor highly personal information securely—for example, a portfolio of stocks that the user might enter.
What’s more, maintaining a user-identity infrastructure has its risks—as was made painfully clear last month when hackers broke into servers operated by Gawker Media and downloaded the user names and passwords for more than a million of Gawker’s accounts. Even though the passwords were encrypted, many were easy to guess, so the accounts could be readily cracked, according to an analysis of the attack by security researchers at the University of Cambridge. Following the attack several unrelated websites, including LinkedIn and Woot, sent e-mail to their users warning them to change their passwords if these were the same ones as they used for Gawker.
Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It’s easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site’s users will see a “Connect with Facebook” button. If they’re already logged into Facebook (having recently visited the site), they can just click on it and they’re in. If they haven’t logged in recently, they are prompted for their Facebook user name and password.
An interesting side benefit for website operators is that Facebook Login provides the site with users’ real names (in most cases) and optionallya variety of other information, such as the users’ “friends” and “likes.” Currently, Facebook doesn’t charge websites to use its identity infrastructure or access this additional information, though Facebook certainly could in the future.
Facebook is already well acquainted with Internet security issues, simply because it holds personal data for more than 500 million people. The increased use of the Facebook platform for things beyond social media—a bank in New Zealand, for instance, announced in November that it would allow customers to access banking information on Facebook—obviously raises new concerns. And if the company extends its reach to offer a universal login on the Web, the challenges it’s likely to face will become greater still.