Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Connect - fatal blow for OpenID? (identity20.com)
22 points by nickb on July 24, 2008 | hide | past | favorite | 36 comments



Facebook is the LAST person I want handling all of my logins. I like that with OpenID I can use my own domain, or any of a host of providers and not have to worry about Facebook knowing every site I use, and how I use it.


concerned with Beacon 2.0? :)


Sorry, no OpenID nor FB for me.

My on-line identity does not need to be a complete, consolidated mirror image of my actual read-world identity for the sake of convenience for myself nor for others.

http://news.ycombinator.com/item?id=199784


OpenID does not mandate consolidated identity. In fact, Clickpass uses separate OpenID URLs for each service by default.


OpenID does not mandate consolidated identity

By default, consolidated identity is the end result.

The reality of OpenID will surely fall short of it's aspirations.

mechanical_fish has a pretty good comment on this:

"You'll have your choice of big corporations to trust with your identity."


There are people who don't want to use Facebook.


Don't worry. If this catches on, Yahoo and Google will get into the provider act, too. You'll have your choice of big corporations to trust with your identity. We might even see Microsoft get back into the act.

I've been expecting OpenID to evolve into this. The whole problem with OpenID from the site owner's standpoint is the dependencies: If you allow anyone to log in from any OpenID provider whatsoever, you're essentially creating an open-ended dependency on thousands of providers across the web. If a provider has a security problem, X% of your users have a security problem; If a provider goes down, X% of your users go down; If a provider offers a bad login experience -- by showing users tons of ads, or trying to lure them to a competitor as they log in -- you've got a bad login experience that you cannot fix except by forcing some users to switch providers.

This solves all that. You get a simple relationship with one provider: Facebook. You get permission to use Facebook's logo on your site, and to use their brand to reassure your users that you know what you're doing. You don't have to temporarily redirect users to another site in that confusing, phisher-esque OpenID way -- the users type their password into your own site, into a page that you design. If Facebook's API starts giving you problems, you send email to a single service department: Facebook's.

Of course, I believe this entire plan got rejected by the market the first time around, when it was called "Microsoft Passport", but perhaps times have changed.


You can tie multiple OpenIDs to your account. Try it on OurDoings if you want to see how it works. There's a "forget I exist" feature you can use when you're done.


I didn't bother to mention the even bigger, better-known problem with OpenID: Users don't understand it. Only geeks understand it, and a subset of geeks at that.

Any plan which involves asking users to build a more complicated mental model of OpenID -- like asking them to understand the notion of multiple IDs aliased to the same account -- is just going to make that fundamental problem worse.


That's for one site, though, if I'm not mistaken. Good luck on getting the rest of the web to allow for that feature.


mechanical_fish described a site owner's problem. I described a site owner's solution. How much luck does it take for site owners to act in their own interest?


Because not all site owners care enough about OpenID to spend time finding any workarounds for implementation. Especially not when easier channels already exist.


There are way more people who don't know what openID is.


Maybe they don't have to, you could just as well write "log in with your Yahoo account" or something like that.


So you have that, you have a username field, a password field, you have a little blurb explaining that this is using OpenID.

Facebook, meanwhile, has a big blue button that you click and things just magically work.


How exactly does it work (the article doesn't say)? How do they prevent phishing?

Also, you'll need the blurb for the Facebook button, too.


No you don't. With Facebook, you hit the button, Facebook asks if you want to link your account - that's another button - and from then on it's a one-button login. Users are so used to the Facebook login button that you don't have to explain it, you just put it there. (I'm pretty sure the button says log in, too.)

And Facebook doesn't ask you for your user name or password - you can't phish if the site doesn't ask it to begin with. It just matches your cookies. If you haven't logged in yet, then you need to go to Facebook and log in first. But most people are logged in constantly, so it works out.


it works the same with way with OpenId, right?


Yes. But that's where the issue of popularity and singularity pops up.

For Facebook, there's a huge userbase that's already there, and already cookie'd up. Because Facebook has such a huge brand name, it can stand alone and work pretty well.

OpenID, first off, has a DISadvantage in how open it is. No single large button will work. (I love the idea of Clickpass, I think that it has a chance to work, but that means yet another branch of the original OpenID concept.) You need either one single field to log in from, or you need multiple buttons, one per service.

From there it's a matter of individual service popularity. And here's from my experience only, so I could be speaking alone, but the services I used didn't remember me and I had to log in each time. I used ClaimID, MyOpenID, and AIM. Same problems with each. And I used OpenID to AVOID multiple logins. Even when I'd logged in for one site, the second one meant entering my log in again, then going to a second page to verify access. That means the log-in process is longer than just using a separate ID for the site. Registration moved slower, too, because first I had to log in, then I had to grant access, then I had to pick a user name - half as many page loads as even registering with a site using email verification. (Sites that used OpenID AND email verification were the last straw.)

So... conceptually, yes. Exact same process. The difference is that with Facebook I need two clicks to log in, no keyboard, and two clicks is fair to me. The same as theoretically entering a user name and password. And registration is faster, and it keeps all my identities together. So Facebook, by being a faceless corporate entity, has a usability edge, and for the majority of users (I'm not a fan of either, mind you), usability is all that matters.



Too bad, Facebook "web sites" don't really exist. Without a Facebook login, they are invisible.


"Log in with your yahoo account" - See that's the fatal flaw. What you describe, is called phishing, and is why this sort of thing is destined for failure.


It needs to happen at the application level. You can phish for someone's open ID login just as easily as you can their Yahoo login, right? Just make it transparent to the user, build it into the browser.


OpenID doesn't work that way. Anyway I don't really care about OpenID, but there is no way I am going to use Facebook.


I kinda hope that is more like when someone said "I don't want to use betamax" than when someone said "I don't want to use the telephone".


There are people who have both. I would add both types of authentication to get to a wider demographic.


Facebook doesn't care about those people, though. They've got a big enough slice of the pie as it is.


Sure, but the premise of the article was "the death of OpenID". Maybe Facebookies will start using Facebook Connect - I am pretty sure that I and many others won't.


And they are not important or have no influence on other people.


Ugh. Every large internet company tries to become the world's identity provider at some point. It's like you're not considered part of cool kids until you do.

Microsoft tried it years ago with Passport. Google has their proprietary one. Now it's Facebook's turn, apparently. At least Yahoo and AOL use OpenID, even if they are only providers and not consumers.

This will not be a fatal blow any more than Microsoft Passport or Google Account Authentication were.


I have a strange feeling this will catch some wind but end up lost. Great idea, but it's just the status quo for something that's been attempted time and time again.

No sane person is going to run their site and say, "Get a Facebook account if you want to sign up for ours." Would you? They'll have an option: Login/register (or login through Facebook) if they really want to support FC.


fatal blow, no. is this definitely the best effort though and what's scary is how well they've implemented the idea. genius.


I really dislike facebook (the new walled garden) so I'm still all for OpenID which is far more open.


See, here's the thing - no disrespect to you, but you voiced the opinion most succinctly. Most people don't care about walled or not walled. They care about easy. And because Facebook is easy, and because OpenID sounds like sawdust in your mouth, Facebook has a vast advantage. Especially once most sites add Facebook Connect over OpenID, because it has more users.

A noble statement, but it's not one that carries out.


I wonder if they could've (should've) somehow integrated OpenID into Facebook Connect.


Sure, Yahoo and AOL did it.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: