Oauth, OpenID, Facebook Connect: Authentication Design Best Practices

OAuth, OpenID, Facebook Connect: Authentication Design Best Practices or logging in to stuff is real weird now, guys James Reffell SXSW Interactive March 14th, 2011 twitter: @jreffell#authenticationdesign jreffell@webroot.com

Im James Reffell. Im a designer. I live in San Francisco, near the beach.

acquired byI’ve designed for big web companies, and one little startup called Usable Security. We got acquired by a bigger(but not very big) security software company, Webroot, which was cool.

If you can’t use it, it’s not secure.At the startup we had a goal and an ideology. The goal: make security software usable by normal people. Theideology: if you can’t use it, it’s not secure. There is no trade-off between security and usability. That’s false.This is true in the physical world: the easier your bike lock is to get on and off, the more you will use it.

This talk is about authentication. The technical details of authentication, and especially the security aspects, arevery important. But I’m a designer, and I have an ideology. I worry most about what users experience. And whatthey experience is ...

1. Logging in to stuff. 2. Being logged in to stuff. 3. Logging out of stuff.Logging in to stuff (so you can do things). Being logged in to stuff (and doing things). Logging out of stuff(because you want to stop doing things). You and I may know there’s more to it, but to most people this isauthentication. It’s also changing.

Now it also includes 3rd party authentication. OAuth. Facebook Connect. Open ID. These are the underlyingtechnologies. Logging in to one site to do something on another site, or to pass data between two sites, orsomething similar. That’s what I’m going to talk about today.

Digression Spooky story Made of people Beneﬁts, drawbacks, & examplesHere’s what I’m going to cover: a historical digression, then a spooky story, some things about people youshould know, and then some meat about designing 3rd party authentication. The good and the bad.

N IO SS REIGDBut first, a digression! Ever wondered where we get the phrases “log in”? We’ve used it since at least the ‘60sfor terminal machines.

N IO SS RE IGD It was adapted from the general sense of logging = recording and logbooks, which came from the narrower use of logging ship activity, and more specifically speed. And how do you measure speed?

N IO SS RE IGD With a log! Attached to a knotted rope. Which you throw overboard and time how many knots go by for a set period of time. So, when you next log in, think about big hunks of wood being thrown overboard.

Spooky storyNow, it’s time for a spooky story. Once upon a time ...

There was a little blog called ReadWriteWeb. (Think you already know this story? Hold on. This is the spookyversion.) This was a popular article, got a lot of attention.

So popular it became the top result for the search query “facebook login”. Which as it turns out, a lot of peoplewere using as a way to navigate to Facebook. (This is pretty normal, btw. Lot’s of people use search fornavigation. )

So folks looking for this ...

... instead saw this, and freaked out. Many of those people probably exited and did something else. But somepeople were convinced this was Facebook. So the dedicated looked for some way to log in.

Which led to a whole bunch of people posting comments complaining about how they couldn’t log into Facebook. And insome cases complaining about Facebook’s redesign. Now, let’s quickly move past the “silly users” reaction to the “gee, weneed to do better helping our users” reaction. But there’s something else, too. Let’s look at those comments again. Those

That’s because -- assuming they weren’t already logged in to Facebook -- they saw something like this. This is aFacebook Connect dialog. (Or what it used to look like.) These users logged into Facebook. Just not in the way theyexpected.But they didn’t REALLY succeed, because they probably don’t know what happened.

And that’s the spooky part. OK, it’s not quite “They’re coming from inside the house!”. And all theparticipants here are benign.

Because, of course, they’ve just tied their Facebook identity, with what is probably their real name, to a comment on ablog they’d never heard of today. And that blog is now an authorized app for their Facebook account. Luckily it’s thenice folks at RWW and not someone sketchy, right?

Ye Olde Way Ye New Way user A user domain A C navigates to navigates ... to do to ... stuﬀ on ... domain domain domain A A B .. but uses login credentials "om ...Spooky stories usually have a moral. Here’s one. Lots of people were only barely hanging on by their fingertipsto the that model where there was a domain, and you logged in to that domain so you could do stuff on thatdomain. And now we’re building new models. So, before using those new models, take some time to reflect.

Made of peopleThe Internet is made of people. We can lose sight of that when making things, especially around security. We plan forpeople to use our products in one way, and then they do different things. They break our models. That’s true of theold model for authentication; it’s equally true of newer ones. So let’s talk a little about things people do.

People share computers devices.People share computers. We dont always allow for this when we design software, but they do. Great Microsoft studyshowed 95% of homes had at least one shared computer, and 45% of computers were shared. OS profile usecommon but not universal. Other devices? We think of phones as individual devices, but watch teenagers. And

People share accounts.People share accounts. Which means they share passwords. eBay history: eBay, of course, has some very largebusinesses selling on it. But for YEARS, wed get complaints from account owners, who might have a dozenemployees using a single account, and were worried that one disgruntled employee could take down their entire

People make up identities. “At the Fieldston School in the Bronx, a class on Tolstoy resulted in some students adding Russian patronymics like -ovich and -ovna to their names.” - NY TimesNY Times article. A bunch of kids all change their names in Facebook. In this case, with a Russian Literaturetheme. Why? To be cute, but also to avoid college recruiters, who they are convinced troll FB for information onthem during college application season. No harm to their social life, their friends all recognize them.

People have multiple accounts.Techcrunch poll: 38% of Twitter users have 2 or more acocunts. Unlike Facebook, Twitter is totally fine withthat. Google is experimenting with letting you be logged in to more than one account at a time -- but I’ve neverseen a company launch a feature it was so terrified of. Check out all the warnings you have to step through!

People reuse passwords.Wonderful Microsoft Research paper by Dinei Florencio and Cormac Herley. The average password was usedat around 6 sites. There was a correlation between password strength and reuse. Some of you may have beenGawkered. And before the security scold in the audience get started ...

People ignore security advice. Rationally.Another paper by Herley did an economic model of the cost of following certain kinds of security advice versusthe possible risks associated with NOT following the advice. Estimated cost of phishing: $90 million. Estimatedcost of following anti-phishing advice: $15.9 billion. Similarly, reusing passwords is rational.

An incomplete history ...OK, so that’s people. Now let’s go back to 3rd party authentication. There are a lot of threads -- OpenID waschugging along, but often not in a form most people would get (URLS). Suddenly data exchange (and piggy-back apps) started asking for full credentials -- accounts & passwords. THIS WAS BAD. So some folks gottogether and built OAuth, Twitter adopted it, FB did their own thing but then adopted the in-progress OAuth 2 ...

benefits & drawbacks

Beneﬁt: More usersMore users. More traffic. More signups. If you’ve ever designed a signup flow or a checkout flow, you know they’re a huge sourceof friction. Remove that friction, more people. I wish I had mass numbers, but the anecdata here are great. Registration: sites thatuse Facebook Connect as an alternate to account registration have seen a 30-200% increase in registration on their sites. PayPal

Beneﬁt: SimplicityBenefit #2. This is related. You don’t just reduce friction for the initial experience. You can reduce it for theongoing. Fewer passwords to remember. Outsource your “forgot password” flow to Facebook. This can helpyour users, but it also can help you build your app faster. Software is an iceberg!

Beneﬁt 3: DataBenefit #3. Data. This is the one people concentrate on. Different sites give you different data in different ways:email addresses, social graph, birthdays, ability to post, all the rest. It’s a big deal.

Drawback: Confusion harken back to story but also techrunch exampleDrawback #1. Confusion. This is a tech-world example, but Techcrunch added Facebook-powered comments.It’s kind of cool, b/c you choose between identity providers. Choice is good! Until you end up logging in toTechcrunch with your Facebook ID with your Yahoo ID. That doesn’t even make sense when I say it.

Drawback: Lack of site controlThe more 3rd party services you use for critical infrastructure, the more you’re at their mercy. Downtime, policychanges etc.. Let’s take downtime. Facebook has amazing uptime, probably better than yours, but if you’rerelying on them to handle your authentication, you now have theirs plus yours. And there’s nothing you can do.

Drawback: Lack of user controlLack of user control. Don’t worry, this isn’t real, a fellow named Zach Holman mocked this up to point out howthe current all-or-nothing permission standard can hurt users. Though, usually not this dramatically. WOuldn’t itbe nice to be able to uncheck “murder your children”?

Drawback: InappropriacyDrawback #3. Inappropriate audiences. So presenting too many choices to your user is probably bad, butpresenting one bad choice is probably worse. Do I really want my Facebook account, with all my personal data,connected with a site that does professional reviews? No, I do not.

Doing it right.

Have a backup plan Get the email address.Services will change the rules on you. Think Apple and their new subscription model which freaked a lot ofdevelopers out. You can’t plan for everything, but you can have a backup plan. And the most important thing isget their email address. Then, whatever happens, you can talk to them and make adjustments.

Few, appropriate choices.Few, appropriate choices. If your audience is social & doesn’t mind their real names associated with your stuff,Facebook might make sense. If you’ve got lawyers, maybe pick something that doesn’t connect with partypictures. If you’ve got activists, maybe pick something that doesn’t require real names,

Handle exceptions well.Handle exceptions well. What happens if Facebook goes down? What happens if someone signs up withTwitter on one machine and then facebook on another -- can you somehow figure that out and merge theaccounts? The more 3rd party services you support, the more use cases you’re going to have to cover.

Don’t be a data hog.Get the data you need ... but don’t be a data hog. OK, Instagram only wants three things. All of them makesense given what I would use it for. Quora -- I love Quora, but why does it want to know about my family? Whydoes it want my videos? Creepy!

conclusion-ey thingThat wraps the practical part of my talk. There’s innovation and exciting technical stuff going on right now, but ifyou’re a designer or developer and you’re building something for a general audience right now, you shouldtotally ignore any of it until it’s been tried, tested vetted, beaten on, etc. In that spirit I’ve tried to stick to facts --or at least fact-like anecdotes -- so far, and leave out the opinionating and rank speculation. But this is SXSW!

conclusion-ey thingWe are in the process of moving from one model of online identity to another. The old model -- accounts for asingle domain, usernames, passwords, etc. -- has been in place since the birth of the Internet, and if you squint,since we’ve had networked devices. And right now, today, it is still the primary model. We do NOT know whatnew model we are moving towards. We know some pieces. We can identify some tensions around which thenew model will be formed. But it has not been decided, and we are probably some of the people who will decide

Bald predictionsI. Passwords will get more annoying.II. Authentication will span the whole OS /browser / webpage stack.III. Identity providers will start to specialize.IV. More tension between real names vs.anonymity / pseudonymityV. Move to distributed & contextual identity.VI. Privacy regulation (EU, US) will kick in.

questions? jreffell designcult.orgjreffell@webroot.com slideshare.net/jreffell

ReadWriteWeb story ReferencesFacebook Wants to be Your One True Login, ReadWriteWeb(http://www.readwriteweb.com/archives/facebook_wants_to_be_your_one_true_login.php)Made of peopleAn Online Alias Keeps Colleges Oﬀ Their Trail, NY Times(http://www.nytimes.com/2010/04/25/fashion/25Noticed.html)A Large-Scale Study of Web Password Habits, Dinei Florencio & Cormac Henley(http://research.microsoft.com/apps/pubs/?id=74164)So Long, And No Thanks for all the Externalities: the Rational Rejection of Security Advice by Users, Cormac Henley(http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf)The Cost of Reading Privacy Policies, Aleecia M. McDonald & Lorrie Faith CranorI/S: A Journal of Law and Policy for the Information Society, 2008 Privacy Year in Review (http://www.is-journal.org/)How Many Twitter Accounts Do You Have? Techcrunch(http://techcrunch.com/2008/01/09/how-many-twitter-accounts-do-you-have/)Family Accounts: A new paradigm for user accounts within the home environment Serge Egelman, A.J. Brush, and KoriInkpen (http://research.microsoft.com/apps/pubs/?id=74234)http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/http://techcrunch.com/2011/03/09/report-paypals-express-checkout-helps-bump-sales-by-18-percent/http://www.businessinsider.com/six-months-in-facebook-connect-is-a-huge-success-2009-7#ixzz1FZ8q5iS1http://zachholman.com/2011/01/oauth_will_murder_your_children/

Creative Commons Creditsphil.d Joe Shlabotnikhttp://www.flickr.com/photos/phill_dvsn/393952186/ http://www.flickr.com/photos/joeshlabotnik/305410323/levitateme ryancrhttp://www.flickr.com/photos/levitateme/195355984/ http://www.flickr.com/photos/ryanr/142455033/michaelholden churbuckhttp://www.flickr.com/photos/michaelholden/ http://www.flickr.com/photos/churbuck/2925894054/4148616920/mrlederhosen lightcliffhttp://www.flickr.com/photos/mrlederhosen/3944315426/ http://www.flickr.com/photos/lightcliff/3766567707/movito flickrofsumithttp://www.flickr.com/photos/movito/2214551923/ http://www.flickr.com/photos/flickrofsumit/5395631451/natalielucier tensafefrogshttp://www.flickr.com/photos/natalielucier/3619742583/ http://www.flickr.com/photos/tensafefrogs/webel mrdorkesq http://www.flickr.com/photos/http://www.flickr.com/photos/webel/145431680/ 29158681@N00/4429376362/

http://www.designcult.org	126
http://designcult.org	66
http://www.reffelldesign.com	31
http://theavclub.posterous.com	31
http://ykominami.blogspot.jp	12
http://designcult.typepad.com	10
http://twitter.com	5
http://uber-code.blogspot.com	4
http://matthias-althaus.myonid.de	4
http://paper.li	4
http://uber-code.blogspot.com.es	2
https://twitter.com	2
https://si0.twimg.com	1
http://us-w1.rockmelt.com	1
http://www.slideshare.net	1
http://www.typepad.com	1
http://posterous.com	1
http://translate.googleusercontent.com	1
http://www.linkedin.com	1

Oauth, OpenID, Facebook Connect: Authentication Design Best Practices

by James Reffell

Accessibility

Categories

Upload Details

Usage Rights

19 Embeds 304

Statistics

Oauth, OpenID, Facebook Connect: Authentication Design Best Practices Presentation Transcript