• Authentication: to demonstrate to a site or system that you are who you say you are, usually done with a password
  • Federation: when one site trusts another to authenticate someone
You’ve probably seen the image below – or something like it – before.  Nowadays this is called a “social login”, and it allows you to log into some site with your Facebook, LinkedIn, Twitter or GMail account and maybe a local account:

Even if you try not to use other providers to authenticate you, they can provide multifactor for local logins.  Tinder, for example, authenticates you to your phone, but their multifactor is provided by Facebook.  Remember that mobile phone number you had to provide to get a Facebook account?  Now they’re connected, so you could start receiving ads by IAC (the same company who owns Tinder) for CollegeHumor, Ask, HomeAdvisor, to try Match.com as well, or for other companies owned by IAC Holdings.

These systems have benefits and drawbacks that have never been explained by anyone and they’re really things you should know about.

  • This system exchanges a password for an authentication token (an encrypted cookie), and it’s the contents of this cookie that are passed around instead of your password.  It is more secure.
  • It’s convenient.
  • People have one less fewer password to worry about,
  • One less password to change as needed, and
  • If the site is compromised your password won’t be – it’s not on that site.
  • You only have to set up multifactor for one site.
  • The federated authentication token (the cookie in your browser) can be used across the board; in the picture above for example, once you log in with LinkedIn you can access this site, Twitter AND Facebook without having to type your password again (depending on how they’ve set up federation).
For websites and businesses, benefits include:
  • Sites that implement it are off the hook when it comes to password and data exposures; your password isn’t kept there.
  • As users start to get comfortable with it and use it more, it becomes easier so they’re less likely to bail on your site for somewhere with an easier registration process.
  • Much easier maintenance, as a whole component of site management is nearly gone.
  • With the discovery of Cambridge Analytica, we know Facebook has a ton of information on you.  This is one of the ways they get it: their logs contain what sites you’ve authenticated to, so if it’s a “liberal” site it’s now associated with your email address and computer’s IP address, correlated with your Facebook account (just like a pivot table in Excel).
  • As above, that authentication token can be used on other sites – as soon as you go to them, now they know too.
  • The site you’re federating to – let’s say Facebook in this example – how holds your keys.  Other sites trust their authentication service to be up and you trust them with your keys.
  • The whole “use a different password for each site you log into” security practice is now out the window.
For websites and businesses, it’s not all roses either:
  • You’re no longer able to support users with authentication problems, it’s not something you control.  Better hope it works because when it doesn’t, neither do you.
  • Your site is now a slave to whoever you’re federating with: if they make a change to their API, oh well, you’re broken until you accommodate for it.  Better keep up.
  • You don’t really have your users – Facebook/Twitter/LinkedIn/Google however, do.  Users may have profile data on your site, but if they can’t access it that all goes up in smoke.
  • Remember when ATM’s were free?  Credit cards?  That’s how this will go – currently federation is free, but they are offering a service after all.  How long until you have to pay for it?  How much?  They’re not really your users, so if you want your site to survive, better pay up. What’s it worth to you?  You’re going to find out.
Authentication beyond the password has become a business model.   “Passwordless” providers such as Auth0, Firebase, Swoop, WebAuthn and others are often free so that you’ll use their service (and tell *them* what sites you’re visiting – that’s worth money), and once the idea picks up it won’t be free for long.  This  – surrendering control to yet another business – doesn’t have to be the “next thing” after passwords.   U2F and Fido are open, non-proprietary standards that everyone can use.  Learn more here: https://www.yubico.com/solutions/fido-u2f/
(To head off the question, it’s not the same thing as the other companies – Yubico provides an implementation, they’re not a gatekeeper & sole provider, nobody is, there is no central authority.)
In the end, handing off authentication to someone else is lazy and throws responsibility over the fence.  It’s either lazy on behalf of the site or the user – it is convenient after all – but in the end he who has the keys makes the rules, and using these services hands over your keys and more.

Registering for WhisperLoudly is twice as complicated than if we’d used Auth0 and that’s frustrating, but in the end we know who our visitors are and we assume responsibility for your credentials and logins. This means we can actually help you, too.  If we get compromised we’ve been advising that you use different passwords for different sites, so we’ll require that you change your password and we all move on.  They couldn’t actually abuse the accounts anyway because of 2FAS multifactor, that’s why it’s there.

In order to take back your privacy you have to assume responsibility for it, often at the cost of convenience.  I don’t recommend using any of these services, stick with logins local to the site you’re visiting and use multifactor everywhere you can.  You have all the tools you need in the form of a password manager such as 1Password or Dashlane.

Leave A Reply