Last week, Formspring servers were compromised and over 420,000 hashed user passwords were stolen. Formspring founder and CEO Ade Olonoh wrote a blog post apologizing for the data breach and advising users to create new passwords immediately. The final line of the 500-word blog post reads: "If you have linked Facebook to your account, you can safely use Facebook Connect to log in." The detail in Olonoh's post is an afterthought, but his sentiment is part of the reason many sites are turning to Facebook to handle identity verification. You'd be hard-pressed to find a company more serious about protecting user data. "There's never been a breach of our login information," Facebook Security team member Fred Wolens told me.
"There aren't too many tricks out there that we aren't using."
Implementing Facebook Connect (also known as Facebook Login) is kind of like hiring a security detail for each of your users, and getting this service for free. "There aren't too many tricks out there that we aren't using," Wolens said, who previously detailed for me the various ways Facebook protects its users, like scanning data dump sites like Pastebin weekly in pursuit of user credentials. If any member's username or password shows up, Facebook alerts you. The company also recently partnered with leading anti-virus companies to expand its URL blacklist by hundreds of millions of links.
This isn't the first time Facebook Connect has been called out for saving users some trouble. During the Gawker data breach a few years ago, the company acknowledged that users who logged in using Facebook could ignore all the password theft drama. Of course, logging in using Facebook has some obvious limitations, like the fact that you must be a Facebook member to use it, and if Facebook goes down, you're screwed. Additionally, most sites don't enable users that are logged in via Facebook to use pseudonyms while commenting. Lastly, Facebook's "Authorize this site to access your information" dialog is intimidating for new users on your site, in part because sites frequently use the opportunity to ask for more permissions than they would otherwise need. The language in the dialog box ("any other information I've shared with everyone") isn't exactly transparent, either.
But, on the whole, Facebook Connect has almost become a startup's go-to tool for onboarding, grabbing far more mindshare than other options like "Sign in with Google." Not only can sites like Turntable.fm offer unique invite-only schemes, but they can also avoid the hassle of asking users to create new accounts while limiting exposure to hackers — all with less than 50 lines of code. "For our users, it means not having to create yet another account, and immediately having your social graph represented on Songza when you sign up," Songza CEO Elias Roman told me. For large companies, however, building a log-in platform on top of Facebook can be risky. Changes in the social network's terms of service or Open Graph can be costly if 90% of your users have logged in using Facebook.
Many of these companies choose to integrate other Facebook tools alongside Connect, like an Open Graph plugin that sends all the songs you listen to to friends' News Feeds. "Because of our Open Graph integration, in a given month each Facebook connected user generates at least one additional Facebook connected user, which is awesome," Roman said. "It's easy to get set up for anyone comfortable working with APIs," he elaborated. Unfortunately, sometimes annoying or deceptive Open Graph implementations overshadow the usefulness of Connect, which is inherently just an identity verification tool.
"Developers don't need to keep iterating and improving on account recovery, because we have entire teams of people looking at that issue."
Perhaps more importantly, installing Connect divorces site owners from having to create deep password recovery systems. Facebook already has various solutions in place to recover passwords, like asking you to identify the faces of a few friends. "Developers don't need to keep iterating and improving on account recovery, because we have entire teams of people looking at that issue," Wolens said. Few websites have the resources or time to devise "social captcha" algorithms for determining the likelihood that somebody is in fact who they say they are. "If you use the same computer every day and try to recover your password from that computer, it's a lot different than if you're halfway across the world," Wolens said. "We know that Ellis has used this computer in the last thirty days to log in, so we can create a lot less friction in getting you back into the account."
In an age where many (or perhaps most) people use the same password for every site they log into, Facebook Connect has taken on the role of identity-keeper. Integrating Facebook Connect may sound like letting Big Brother handle the "frictionless" security checkpoint for your site, but as servers get hacked and sites go down, it's proven pretty damn tempting.
For more on Facebook security, check out our report: Inside Facebook security: defending users from spammers, hackers, and 'likejackers'