Facebook as Identity Provider

by on January 9, 2011 · 8 comments

It might take Facebook a while to turn identity provision into a revenue opportunity, but if it is a money-maker, it could be a substantial one. Simson Garfinkel has a piece in Technology Review that goes into some of the things Facebook is doing with its “Connect” service.

As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.

It’s a good, relatively short article, worth a read.

As an online identity provider, Facebook could facilitate secure commerce and communication in a way that’s easy and familiar for consumers. That adds value to the Internet ecosystem, and Facebook may be able to extract some of the surplus for itself—perhaps by charging sites and services that are heavy users small amounts per login via Connect. The security challenges of such a system would grow as more sites and services rely on it, of course, and Garfinkel highlights them in an accessible way.

Quibbles are always more interesting, so I’ll note that I cocked my head to one side where Garfinkel asks “whether it’s a good thing for one company to hold such a position of power.” Strange.

Taking “power” in its philosophical sense to mean “a measure of an entity’s ability to control its environment, including the behavior of other entities,” Facebook Connect gives the company very little power. Separate, per-site logins—or a parallel service that might be created by Google, for example—are near at hand and easy to switch to for anyone who doesn’t like Facebook’s offering.

Ironically, Garfinkel refers to these identity services as “Internet driver’s licenses,” inviting a comparison with the power structure in the real-world licensing area. If you want to drive a car legally, there are no alternatives to dealing with the state, so the state can impose onerous conditions on licensing. Drivers’ licenses require one to share a great deal of information, they cost a lot of money (relative to Facebook’s dollar price of “free”), and switching is not an option if the issuer starts to change the bargain and enroll licensees in a national ID system. Garfinkel himself noted how drivers’ licenses enhance state power in a good 1994 Wired article.

In sum, the upsides of an identity marketplace are there, for both consumers and for Facebook. The downsides are relatively small. The “power” exercised by any provider in a marketplace for identity provision is small compared to the alternative of using states as identity providers.

  • Pingback: Tweets that mention Facebook as Identity Provider -- Topsy.com

  • http://twitter.com/ewout Ewout ter Haar

    If most service providers require a Facebook login, consumers have no choice but the have one. They can’t, effectively, switch. Conversely, if most consumers choose, say, a Google identity, service providers have no choice. These are just particular examples of the general principal that “the ability to switch” depends on what others around you have done. These complex dynamics, through network effects and winner takes all mechanisms, may lead to stable outcomes with near-monopolies and lock-in.

    So, I can certainly see reasons to worry. This time it’s not just operating systems and productivity software, we have our online identities at stake here. I want an identity layer and identity protocols built by disinterested engineers, upon which private parties can then built and compete. Let’s do the identity protocols the internet way, distributed and de-centralized, not controlled by a single entity.

  • http://twitter.com/ewout Ewout ter Haar

    If most service providers require a Facebook login, consumers have no choice but the have one. They can’t, effectively, switch. Conversely, if most consumers choose, say, a Google identity, service providers have no choice. These are just particular examples of the general principal that “the ability to switch” depends on what others around you have done. These complex dynamics, through network effects and winner takes all mechanisms, may lead to stable outcomes with near-monopolies and lock-in.

    So, I can certainly see reasons to worry. This time it’s not just operating systems and productivity software, we have our online identities at stake here. I want an identity layer and identity protocols built by disinterested engineers, upon which private parties can then built and compete. Let’s do the identity protocols the internet way, distributed and de-centralized, not controlled by a single entity.

  • Jim Harper

    You had to say they can’t “effectively” switch because you know that they can switch, or they can opt not to use such services — it’s just at some level of inconvenience that you think is too high. Extreme outliers are not served by markets, it’s true. I can’t get fresh milk delivered to my door in glass bottles, for example.

    But you have to compare real things with real things. Compare a competitive market for identity services with a government controlled identity environment, and you’ll find the market superior. This idea of the “disinterested engineer” may exist a some kind of Platonic ideal, but it is not real.

    The thing that will strike the most appropriate balance is lots of interested engineers and companies competing to serve the consumer. The fact that I talked about one company is not an endorsement of having one company be the sole identity provider, and I did talk about alternatives and competition.

  • Jim Harper

    You had to say they can’t “effectively” switch because you know that they can switch, or they can opt not to use such services — it’s just at some level of inconvenience that you think is too high. Extreme outliers are not served by markets, it’s true. I can’t get fresh milk delivered to my door in glass bottles, for example.

    But you have to compare real things with real things. Compare a competitive market for identity services with a government controlled identity environment, and you’ll find the market superior. This idea of the “disinterested engineer” may exist a some kind of Platonic ideal, but it is not real.

    The thing that will strike the most appropriate balance is lots of interested engineers and companies competing to serve the consumer. The fact that I talked about one company is not an endorsement of having one company be the sole identity provider, and I did talk about alternatives and competition.

  • http://twitter.com/ewout Ewout ter Haar

    I was thinking of a third real thing. Organizations like IETF and W3C make standards not controlled by either government or corporate players in a competitive market. That’s what I meant by doing identity standards the “internet way”.

    Collaborative standards making in this way is a messy, political process. There is no guarantee that these committees will come up with a good standard. But now the market can choose which standard to use, not one particular application like Facebook Connect or a Google Identity. I have less problems with market mechanisms at this higher level. A winner-takes all outcome is a good thing when we are talking about standards. The important thing is that after the dust settles, not one single market-player controls or owns the standard. Then, market-players can compete on this new, and hopefully level, playing field.

  • http://twitter.com/candres candres

    This is not a battle between Facebook, Google, or OpenID. In a user-driven identity ecosystem, as long as the relying party trusts one or more identity providers selected/trusted by the user to verify the user’s claims to the relying party (website), multiple identity providers can thrive. You can see this in operation today at LA Times, Kodak, (even this website!) where you can register using your choice of Facebook ID, Twitter ID, Google ID, et al. This not only makes it easy for you (you already have these IDs, no new ID to create or password to remember) it is easier for the relying party. For example, Google verifies your email address when you signed up there, so now the website doesn’t need to do that, and knows your email address is valid.

    Furthermore, this allows the opportunity for multiple identity providers to verify claims of different types. I would not trust Facebook to store my physical address; they could sell it — but I could trust the US Post Office or UPS. Facebook is fine to verify I have 98 friends who are also real people. But Facebook doesn’t know how old I am, because they don’t verify that. Trusted verified claims from multiple trusted identity providers certified by an independent agency to the trust level required for the transaction is where we are headed. And this will be a good thing.

  • Pingback: Crisis de Identidad (Gestión) (Parte 5): El Futuro de la Gestión de la Identidad – La identidad en la nube « Seguridad Informática

Previous post:

Next post: