Yes, there’s a new form of Rot on the Internet. There’s ye’ ole’ Link Rot for when links die on the ‘net, there’s Application Rot, (which I wrote about a few years ago), and now there’s Authentication Rot. (Though this isn’t really a great name. I’m amenable to suggestions.) Actually, Authentication Rot doesn’t exist too much yet. It’s about to though. I’m writing this in mid-May, 2009. My stake the ground right now is to say, “One of the upcoming Internet s#$% stroms that will blow through within the next 12 months will be a failure of Facebook Connect.” (BTW, I hope I’m wrong. I hope some dev folks from FB read this and say, “No way. We won’t let it happen.”)

What is Authentication Rot?

Authentication Rot is when a users can’t log into a site because the site is using some external source for user authentication and that source goes down. Or changes their code. Or their policies. When and where will this happen? It will happen with Facebook Connect. Now before anyone gets their knickers all twisted up, let me say that I really like Facebook. A lot. It’s a great, fun service and I use it for a lot of stuff. That doesn’t make any of what I’m saying here less true. There are real risks when sites use Facebook Connect as a sole login for user or merges existing accounts to Facebook credentials without leaving the historical id/pw of that local site.

Why is FB Connect a Potential Problem?

Facebook Connect is winning. It has critical mass of awareness. It’s passing the proverbial Tipping Point. Once upon a time, Microsoft tried Passport, more lately re-cast as Windows Live ID and tried to become THE place to hook up some form of common login. (Google Friend Connect really doesn’t count.) And there’s the current attempt to get Open ID going as a standard. Open ID may be used by a bunch of web sites at this point, but it still essentially relies on a certifying party, (though not one particular certificating authority). And for other sites to trust that certifying authority. The main problem with it though is it’s not really understandable by a typical web user. And if you happen to forget where you signed up for your original Open ID and forget your password, you have a problem.

Nope. Insofar as anyone is going to be a single sign-on juggernaut these days, it’s Facebook. People get it. You go to a site, there’s a login button and a Facebook Connect icon and boom. Even for those who don’t get it right now, the whole thing is becoming common enough that everyone will.

Is this Really a Problem?

Maybe not. At least not for most people most of the time. But let’s consider…

  • If you’re a site owner, a Facebook Connect outage will remove YOUR user’s ability to login to YOUR site for those users who use their Facebook credentials to login. If you’ve merged a prior ID/Password with a Facebook login, this will also be true. (Unless you go through what is likely a cumbersome and expensive process to keep multiple user IDs active at once.)
  • What happens if Facebook changes their policies regarding use of Facebook Connect? For example, let’s say sites with “objectonable” content start using Facebook Connect? Personally, I wouldn’t have a problem at all if hate speech sites were dis-allowed. But that’s the slippery slope problem of just where does that line get drawn? What level of porn or political extremism would be rejected? (Remember, the issue isn’t who can use it now, it’s what happens if it’s just shut off one day. This isn’t a post about political issues surrounding speech; just risks to site owners and users when using credentials from external sources.)

What Can You Do?

  • As a site administrator, consider carefully if you need this functionality. Chances are that you’ll want it though. There’s already anecdotal and some real research that this feature signifigantly increases site usage and registration. Then consider two things: 1) Going to the effort to maintain the ‘old’ user id’s/passwords for “locally” registered users. And 2) An emergency plan if you choose to not expend the effort on Number One. You’ll need to be prepared to send Emails, (assuming you have addresses), to users with a newly manually unmerged account ID and Password. You’ll need to decide how long to wait for Facebook to fix any outage. And most of all, if you’ve built this site for a client, you’d better have text in your Service Level Agreement, (SLA), that you’re not responsible for outages of this sort when a client opts to have Facebook Connect as a feature.
  • As a user, don’t worry too much about this sort of thing. Unless something is core critical to you. For example, you might not want to use such a feature with a service where you store critical work documents or similar. But for most people most of the time, waiting the few hours or whatever for the service to come back is probably no big deal. Go outside and throw a ball or something.

Wikipedia References to the some items mentioned above:
Wikipedia Icon Facebook Connect, Windows LIve, OpenID.