RE: [outages] facebook slow

[Matthew Black <Matthew.Black () csulb edu>]

My concern against using FB for authentication is this: Does using FB login give the site read access to my profile, 
friends, etc? My profile is set to private to keep advertisers at bay. In the early years Facebook warned users that 
clicking on an external link would grant such access.

matthew


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of valdis.kletnieks () vt edu
Sent: Friday, November 30, 2018 1:12 PM
To: Keith Medcalf
Cc: nanog () nanog org; Brian Ladd
Subject: Re: [outages] facebook slow

On Fri, 30 Nov 2018 13:16:31 -0700, "Keith Medcalf" said:
> Why don't you just write all your password on big sheets of 
> construction paper and put them on the front of the building or in the nearest Starbucks?

I'm going to go out on a limb and say that with all the problems inherent in using a social media account as an 
authenticator, for 95% of sites it's still more secure than if they attempted to create their own authentication system.
Having even less security expertise than Facebook, they will probably get wrong (possibly in a subtle fashion that gets 
quietly exploited for years, and possibly in a spectacular fashion that makes it on the evening news).

There's the additional factor that security is always about trade-offs - for many sites, the dangers of using social 
media logins are *far* outweighed by being able to just have a big shiny "Log in using Facebook" button instead of 
making the user set up an account, pick a password, send them a verification e-mail, then they have to read their 
e-mail and click on the link.  Do that, and they just left for another site.  Doesn't take many people leaving for 
another site before any added "security" added by doing authentication yourself is outweighed by lost traffic.