A recent blog post by Simson Garfinkel (of MIT Technology Review) raises an interesting possibility – that Facebook may be positioning itself to be your pathway to a myriad of other Internet sites, so that you don’t have to manage a plethora of user IDs and passwords. Interesting, strategic, potentially scary – lots of words come to mind when thinking about this possibility.
Facebook introduced Facebook Connect in 2008, and it’s now part of a collection of tools Facebook calls Facebook for Websites. To understand Facebook Connect, think about two different styles of building security. In one model, with a whole lot of exterior doors, you have to have a separate key to each one to get into the individual rooms – analogous to your separate passwords for each website you visit.
With Facebook Connect, you have the potential for a new model – a single exterior door, controlled by Facebook, and a single key – your Facebook user ID and password. Once inside, you can then have access (with no new keys required) to any room allowing use of the Facebook key, and you won’t have to get your key out again (retype your password), either. So instead of carrying many keys (user IDs and passwords), you need only carry one, at least for all those sites that support Facebook Connect. Techies call this single signon.
Facebook for Websites gives the sites that implement Facebook Connect access to a number of additional tools. Those sites allow users to “Like” things on non-Facebook sites, to allow users to easily register for a new site (with data pre-filled from their Facebook account, and Facebook Graph, allowing the site to see all of your Facebook Friends so it can leverage that information for marketing and other purposes.
Facebook Connect (and Facebook for Websites) was created, I believe, with the intent of making Facebook a more central part of its users’ Internet experience. Assuming that people used Facebook as their path to other web sites, that makes Facebook itself even more “sticky” as a destination for its users. Dropping their Facebook account would then require re-creating accounts at those places where they had previously logged in with Facebook.
As Garfinkel notes, this idea makes some sense for users. 500 million of us already have a relationship with Facebook, and have a lot of data there, making it already “sticky”. But there are potential issues, of course, in that Facebook doesn’t have a stellar track record of protecting the privacy of your data that you post there. And if your Facebook account password is compromised (by Firesheep, by someone guessing it, or by any number of other means), you’ve now lost “the key to the kingdom” – all accounts to which you connected with Facebook are now compromised.
Technologists have tried lots of things to solve this problem for consumers – having browsers remember your passwords, separate devices that could store them, specialized services like myonelogin.com to do single signon, etc. All have downsides in terms of both their risk profile and their usability, and Facebook Connect does too. What do you think? How do you manage your Internet passwords? I look forward to hearing from you.