My concern against using FB for authentication is this: Does using FB login give the site read access to my profile, friends, etc? My profile is set to private to keep advertisers at bay. In the early years Facebook warned users that clicking on an external link would grant such access.
matthew -----Original Message----- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of valdis.kletni...@vt.edu Sent: Friday, November 30, 2018 1:12 PM To: Keith Medcalf Cc: nanog@nanog.org; Brian Ladd Subject: Re: [outages] facebook slow On Fri, 30 Nov 2018 13:16:31 -0700, "Keith Medcalf" said: > Why don't you just write all your password on big sheets of > construction paper and put them on the front of the building or in the > nearest Starbucks? I'm going to go out on a limb and say that with all the problems inherent in using a social media account as an authenticator, for 95% of sites it's still more secure than if they attempted to create their own authentication system. Having even less security expertise than Facebook, they will probably get wrong (possibly in a subtle fashion that gets quietly exploited for years, and possibly in a spectacular fashion that makes it on the evening news). There's the additional factor that security is always about trade-offs - for many sites, the dangers of using social media logins are *far* outweighed by being able to just have a big shiny "Log in using Facebook" button instead of making the user set up an account, pick a password, send them a verification e-mail, then they have to read their e-mail and click on the link. Do that, and they just left for another site. Doesn't take many people leaving for another site before any added "security" added by doing authentication yourself is outweighed by lost traffic.
