1. OAuth, OpenID, Facebook Connect:
Authentication Design Best Practices
or
logging in to stuff is real weird now, guys
James Reffell
SXSW Interactive
March 14th, 2011
twitter: @jreffell
#authenticationdesign jreffell@webroot.com

2. I'm James Reffell. I'm a designer. I live in San Francisco, near the beach.

3. acquired by
I’ve designed for big web companies, and one little startup called Usable Security. We got acquired by a bigger
(but not very big) security software company, Webroot, which was cool.

4. If you can’t use it,
it’s not secure.
At the startup we had a goal and an ideology. The goal: make security software usable by normal people. The
ideology: if you can’t use it, it’s not secure. There is no trade-off between security and usability. That’s false.
This is true in the physical world: the easier your bike lock is to get on and off, the more you will use it.

5. This talk is about authentication. The technical details of authentication, and especially the security aspects, are
very important. But I’m a designer, and I have an ideology. I worry most about what users experience. And what
they experience is ...

6. 1. Logging in to stuff.
2. Being logged in to stuff.
3. Logging out of stuff.
Logging in to stuff (so you can do things). Being logged in to stuff (and doing things). Logging out of stuff
(because you want to stop doing things). You and I may know there’s more to it, but to most people this is
authentication. It’s also changing.

7. Now it also includes 3rd party authentication. OAuth. Facebook Connect. Open ID. These are the underlying
technologies. Logging in to one site to do something on another site, or to pass data between two sites, or
something similar. That’s what I’m going to talk about today.

8. Digression
Spooky story
Made of people
Benefits, drawbacks, & examples
Here’s what I’m going to cover: a historical digression, then a spooky story, some things about people you
should know, and then some meat about designing 3rd party authentication. The good and the bad.

9. N
IO
SS
RE
IG
D
But first, a digression! Ever wondered where we get the phrases “log in”? We’ve used it since at least the ‘60s
for terminal machines.

10. N
IO
SS
RE
IG
D
It was adapted from the general sense of logging = recording and logbooks, which came from the narrower use
of logging ship activity, and more specifically speed. And how do you measure speed?

11. N
IO
SS
RE
IG
D
With a log! Attached to a knotted rope. Which you throw overboard and time how many knots go by for a set
period of time. So, when you next log in, think about big hunks of wood being thrown overboard.

12. Spooky story
Now, it’s time for a spooky story. Once upon a time ...

13. There was a little blog called ReadWriteWeb. (Think you already know this story? Hold on. This is the spooky
version.) This was a popular article, got a lot of attention.

14. So popular it became the top result for the search query “facebook login”. Which as it turns out, a lot of people
were using as a way to navigate to Facebook. (This is pretty normal, btw. Lot’s of people use search for
navigation. )

15. So folks looking for this ...

16. ... instead saw this, and freaked out. Many of those people probably exited and did something else. But some
people were convinced this was Facebook. So the dedicated looked for some way to log in.

17. Which led to a whole bunch of people posting comments complaining about how they couldn’t log into Facebook. And in
some cases complaining about Facebook’s redesign. Now, let’s quickly move past the “silly users” reaction to the “gee, we
need to do better helping our users” reaction. But there’s something else, too. Let’s look at those comments again. Those
are Facebook pictures. And full names (which I’ve blurred).

18. That’s because -- assuming they weren’t already logged in to Facebook -- they saw something like this. This is a
Facebook Connect dialog. (Or what it used to look like.) These users logged into Facebook. Just not in the way they
expected.But they didn’t REALLY succeed, because they probably don’t know what happened.

19. And that’s the spooky part. OK, it’s not quite “They’re coming from inside the house!”. And all the
participants here are benign.

20. Because, of course, they’ve just tied their Facebook identity, with what is probably their real name, to a comment on a
blog they’d never heard of today. And that blog is now an authorized app for their Facebook account. Luckily it’s the
nice folks at RWW and not someone sketchy, right?

21. Ye Olde Way Ye New Way
user
A user domain
A C
navigates
to navigates ... to do
to ... stuff on ...
domain domain domain
A A B
.. but uses login
credentials "om ...
Spooky stories usually have a moral. Here’s one. Lots of people were only barely hanging on by their fingertips
to the that model where there was a domain, and you logged in to that domain so you could do stuff on that
domain. And now we’re building new models. So, before using those new models, take some time to reflect.

22. Made of people
The Internet is made of people. We can lose sight of that when making things, especially around security. We plan for
people to use our products in one way, and then they do different things. They break our models. That’s true of the
old model for authentication; it’s equally true of newer ones. So let’s talk a little about things people do.

23. People share computers devices.
People share computers. We don't always allow for this when we design software, but they do. Great Microsoft study
showed 95% of homes had at least one shared computer, and 45% of computers were shared. OS profile use
common but not universal. Other devices? We think of phones as individual devices, but watch teenagers. And
tablets are the best shared devices yet ...

24. People share accounts.
People share accounts. Which means they share passwords. eBay history: eBay, of course, has some very large
businesses selling on it. But for YEARS, we'd get complaints from account owners, who might have a dozen
employees using a single account, and were worried that one disgruntled employee could take down their entire
business. But even outside of business this happens. Families, close groups of friends.

25. People make up identities.
“At the Fieldston School in the Bronx,
a class on Tolstoy resulted in some
students adding Russian patronymics
like -ovich and -ovna to their names.”
- NY Times
NY Times article. A bunch of kids all change their names in Facebook. In this case, with a Russian Literature
theme. Why? To be cute, but also to avoid college recruiters, who they are convinced troll FB for information on
them during college application season. No harm to their social life, their friends all recognize them.

26. People have multiple accounts.
Techcrunch poll: 38% of Twitter users have 2 or more acocunts. Unlike Facebook, Twitter is totally fine with
that. Google is experimenting with letting you be logged in to more than one account at a time -- but I’ve never
seen a company launch a feature it was so terrified of. Check out all the warnings you have to step through!

27. People reuse passwords.
Wonderful Microsoft Research paper by Dinei Florencio and Cormac Herley. The average password was used
at around 6 sites. There was a correlation between password strength and reuse. Some of you may have been
Gawkered. And before the security scold in the audience get started ...

28. People ignore security advice. Rationally.
Another paper by Herley did an economic model of the cost of following certain kinds of security advice versus
the possible risks associated with NOT following the advice. Estimated cost of phishing: $90 million. Estimated
cost of following anti-phishing advice: $15.9 billion. Similarly, reusing passwords is rational.

29. An incomplete history ...
OK, so that’s people. Now let’s go back to 3rd party authentication. There are a lot of threads -- OpenID was
chugging along, but often not in a form most people would get (URLS). Suddenly data exchange (and piggy-
back apps) started asking for full credentials -- accounts & passwords. THIS WAS BAD. So some folks got
together and built OAuth, Twitter adopted it, FB did their own thing but then adopted the in-progress OAuth 2 ...

30. benefits & drawbacks

31. Benefit: More users
More users. More traffic. More signups. If you’ve ever designed a signup flow or a checkout flow, you know they’re a huge source
of friction. Remove that friction, more people. I wish I had mass numbers, but the anecdata here are great. Registration: sites that
use Facebook Connect as an alternate to account registration have seen a 30-200% increase in registration on their sites. PayPal
Express -- not OAuthm but still 3rd party authentication --bumped sales for it’s sites an average of 18%.

32. Benefit: Simplicity
Benefit #2. This is related. You don’t just reduce friction for the initial experience. You can reduce it for the
ongoing. Fewer passwords to remember. Outsource your “forgot password” flow to Facebook. This can help
your users, but it also can help you build your app faster. Software is an iceberg!

33. Benefit 3: Data
Benefit #3. Data. This is the one people concentrate on. Different sites give you different data in different ways:
email addresses, social graph, birthdays, ability to post, all the rest. It’s a big deal.

34. Drawback: Confusion
harken back to story
but also techrunch example
Drawback #1. Confusion. This is a tech-world example, but Techcrunch added Facebook-powered comments.
It’s kind of cool, b/c you choose between identity providers. Choice is good! Until you end up logging in to
Techcrunch with your Facebook ID with your Yahoo ID. That doesn’t even make sense when I say it.

35. Drawback: Lack of site control
The more 3rd party services you use for critical infrastructure, the more you’re at their mercy. Downtime, policy
changes etc.. Let’s take downtime. Facebook has amazing uptime, probably better than yours, but if you’re
relying on them to handle your authentication, you now have theirs plus yours. And there’s nothing you can do.

36. Drawback: Lack of user control
Lack of user control. Don’t worry, this isn’t real, a fellow named Zach Holman mocked this up to point out how
the current all-or-nothing permission standard can hurt users. Though, usually not this dramatically. WOuldn’t it
be nice to be able to uncheck “murder your children”?

37. Drawback: Inappropriacy
Inappropriate audiences. So presenting too many choices to your user is probably bad, but presenting one bad
choice is probably worse. Do I really want my Facebook account, with all my personal data, connected with a
site that does professional reviews? No, I do not.

38. Doing it right.

39. Have a backup plan
Get the email
address.
Services will change the rules on you. Think Apple and their new subscription model which freaked a lot of
developers out. You can’t plan for everything, but you can have a backup plan. And the most important thing is
get their email address. Then, whatever happens, you can talk to them and make adjustments.

40. Few, appropriate choices.
Few, appropriate choices. If your audience is social & doesn’t mind their real names associated with your stuff,
Facebook might make sense. If you’ve got lawyers, maybe pick something that doesn’t connect with party
pictures. If you’ve got activists, maybe pick something that doesn’t require real names,

41. Handle exceptions well.
Handle exceptions well. What happens if Facebook goes down? What happens if someone signs up with
Twitter on one machine and then facebook on another -- can you somehow figure that out and merge the
accounts? The more 3rd party services you support, the more use cases you’re going to have to cover.

42. Don’t be a data hog.
Get the data you need ... but don’t be a data hog. OK, Instagram only wants three things. All of them make
sense given what I would use it for. Quora -- I love Quora, but why does it want to know about my family? Why
does it want my videos? Creepy!

43. conclusion-ey thing
That wraps the practical part of my talk. There’s innovation and exciting technical stuff going on right now, but if
you’re a designer or developer and you’re building something for a general audience right now, you should
totally ignore any of it until it’s been tried, tested vetted, beaten on, etc. In that spirit I’ve tried to stick to facts --
or at least fact-like anecdotes -- so far, and leave out the opinionating and rank speculation. But this is SXSW!

44. conclusion-ey thing
We are in the process of moving from one model of online identity to another. The old model -- accounts for a
single domain, usernames, passwords, etc. -- has been in place since the birth of the Internet, and if you squint,
since we’ve had networked devices. And right now, today, it is still the primary model. We do NOT know what
new model we are moving towards. We know some pieces. We can identify some tensions around which the
new model will be formed. But it has not been decided, and we are probably some of the people who will decide
it, through what we choose to adopt, support, build for, etc. No pressure.

45. Bald predictions
I. Passwords will get more annoying.
II. Authentication will span the whole OS /
browser / webpage stack.
III. Identity providers will start to specialize.
IV. More tension between real names vs.
anonymity / pseudonymity
V. Move to distributed & contextual identity.
VI. Privacy regulation (EU, US) will kick in.

46. questions?
jreffell
designcult.org
jreffell@webroot.com slideshare.net/jreffell

47. ReadWriteWeb story
References
Facebook Wants to be Your One True Login, ReadWriteWeb
(http://www.readwriteweb.com/archives/facebook_wants_to_be_your_one_true_login.php)
Made of people
An Online Alias Keeps Colleges Off Their Trail, NY Times
(http://www.nytimes.com/2010/04/25/fashion/25Noticed.html)
A Large-Scale Study of Web Password Habits, Dinei Florencio & Cormac Henley
(http://research.microsoft.com/apps/pubs/?id=74164)
So Long, And No Thanks for all the Externalities: the Rational Rejection of Security Advice by Users, Cormac Henley
(http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf)
The Cost of Reading Privacy Policies, Aleecia M. McDonald & Lorrie Faith Cranor
I/S: A Journal of Law and Policy for the Information Society, 2008 Privacy Year in Review (http://www.is-journal.org/)
How Many Twitter Accounts Do You Have? Techcrunch
(http://techcrunch.com/2008/01/09/how-many-twitter-accounts-do-you-have/)
Family Accounts: A new paradigm for user accounts within the home environment Serge Egelman, A.J. Brush, and Kori
Inkpen (http://research.microsoft.com/apps/pubs/?id=74234)
http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/
http://techcrunch.com/2011/03/09/report-paypals-express-checkout-helps-bump-sales-by-18-percent/
http://www.businessinsider.com/six-months-in-facebook-connect-is-a-huge-success-2009-7#ixzz1FZ8q5iS1
http://zachholman.com/2011/01/oauth_will_murder_your_children/

48. Creative Commons Credits
phil.d Joe Shlabotnik
http://www.flickr.com/photos/phill_dvsn/393952186/ http://www.flickr.com/photos/joeshlabotnik/305410323/
levitateme ryancr
http://www.flickr.com/photos/levitateme/195355984/ http://www.flickr.com/photos/ryanr/142455033/
michaelholden churbuck
http://www.flickr.com/photos/michaelholden/
http://www.flickr.com/photos/churbuck/2925894054/
4148616920/
mrlederhosen lightcliff
http://www.flickr.com/photos/mrlederhosen/3944315426/ http://www.flickr.com/photos/lightcliff/3766567707/
movito flickrofsumit
http://www.flickr.com/photos/movito/2214551923/ http://www.flickr.com/photos/flickrofsumit/5395631451/
natalielucier tensafefrogs
http://www.flickr.com/photos/natalielucier/3619742583/ http://www.flickr.com/photos/tensafefrogs/
webel mrdorkesq
http://www.flickr.com/photos/
http://www.flickr.com/photos/webel/145431680/
29158681@N00/4429376362/