If you are creating a new website or mobile app, one of the things you need to worry about most is user login.
User login is thorny. Make it too hard, and users won’t sign up. Make it too easy, and you put users’ passwords at greater risk of being hacked.
Moving all that pain to [company]Facebook[/company] might seem like an attractive option. Facebook has been pushing its Facebook Connect service as a way you can outsource the login capability to Facebook. You let Facebook handle the databases, the passwords, and so on, and you just do some simple code to link to Facebook. And there are already more than 1 billion Facebook users, so it’s likely your users already have a log-in. What’s not to Like (bad pun intended)? What’s not to like?
Well, most web properties have two important success criteria and measures: how many new users sign on every month, and how often they come back. Once you’ve used Facebook Connect, guess what information you’ve just given to Facebook. Let me quote the Facebook Connect policy: “We can analyze your app, content, and data for any purpose, including commercial.”
So what you can you do? First, offer a choice. Give your users the option of logging in with Twitter or Google+ as well. That way, at least, no single website will get all the data on your business. If you are targeting developers, add in Github login and some other developer-focused sites too.
But what you really need to do is to open this up wider. The more choice you offer to your users, the less information you give away to your competitors. A new standard, approved earlier this year, called OpenID Connect, does exactly that. It allows users to select their own identity providers for log-in.
OpenID Connect is a standardization of a model that many websites have been using to allow OAuth2 to be used for login and single sign-on. OAuth2 is a standard that actually emerged in conjunction with the earlier OpenID specifications. It’s widely used for machine-to-machine authentication and authorization. OpenID Connect (OIDC) extends this model with a really important improvement: discovery. This means that, given a particular email address, the website can automatically determine who is the OIDC identity provider for that user. And it’s done in a completely distributed way, so it doesn’t involve any single central provider. This means it doesn’t share information with a single system either. It uses a simple RESTful service called WebFinger, which is also used by distributed alternatives to Facebook like Diaspora.
So who is implementing OIDC today? Google, Microsoft and Salesforce are all supporting it, which is an important start, but not enough of an ecosystem yet, in my opinion.
There is also a new version being pushed by the GSMA — one of the major standards groups in the mobile phone world — that enables people’s phones to become their identity. Mobile Connect is OIDC tuned to use your mobile phone number as the authentication. Mobile Connect works like this: instead of using your email address, you enter your mobile phone number (the first time only). The discovery process then identifies your network operator, who can now authenticate you.
Mobile-specific approaches can then be used for authentication, such as a special security app on your SIM, or using SMS or a lower level protocol called USSD to interact with your mobile phone. This means that two-factor authentication is a built-in part of Mobile Connect.
The biggest challenge with Mobile Connect is not the technology. It’s the network operators. In order to get Mobile Connect to work, it needs a critical mass of users. The network operators need to work together to push it out, and so far it isn’t clear that they are willing to cooperate with each other.
The challenge for the operators is that services like Facebook, Whatsapp, Kik and Snapchat have already displaced the highly profitable SMS business. Phone numbers once upon a time were a well-known, well-understood identifier. But they are being replaced and outclassed by email addresses, and Facebook logins.
If you enable OIDC on your website today, you are sending a message to Google, Twitter, and Facebook that you want to open up the identity ecosystem. You also send a message to the mobile world that they can join in.
This is an opportunity for both the phone operators and the other websites to create a level playing field for identity. At the same time, it opens up choice to developers and consumers. And most of all, it means you don’t have to give all your subscription metrics to Facebook.
Paul Fremantle is co-founder and CTO of the innovative middleware company WSO2. He’s also a member of the Apache Software Foundation, and he previously served as vice president of the Apache Synapse project. He plays the tin whistle.