April 2013 | Status: Second Draft
The proliferation of third-party identity providers on the Web is a very annoying phenomenon. Some sites won’t even allow you to become a member unless you sign in with Facebook or Twitter, which is just another way to tell you that they sell your personal information to Facebook. And now the awesome folks at Mozilla have come up with yet another identity management system, Persona, i.e. OpenID with more privacy and slightly better browser integration.
When most techies talk about identity providers, they are often concerned about privacy. Facebook, of course, profits from knowing which websites you logged into today. Privacy is an important concern, but in this post I’d like to draw attention to a different, oft-neglected aspect of third-party identity providers.
My primary concern is that most of these identity providers have no business mediating my relationship with the websites I visit.
When I visit example.com, ideally, it should be about me, example.com, and nobody else. Not Facebook. Not Google. Not Yahoo. Not NSA. Not even Mozilla, even though I love their other products.
A website that asks me to log in with a third-party identity provider is like a guy who brings his mom to his first date. Of course the mom was totally uninvited, and yet this moron insists on letting her mediate our relationship. Sometimes it’s not his mom (thank God) but a mutual friend or well-liked member of the city council. Okay, I like that person. But I don’t want to date the mutual friend or the councillor. I want to date you, just the two of us. And that’s why I find those multiple redirects so offensive. It’s not only inconvenient but also inconsiderate.
The current state of user authentication on the Web is nothing to write home about, but at least the familiar username & password combo doesn’t require any middlemen to vouch for my identity. The fact that some middlemen are non-profit and/or “distributed” (i.e. 99.99% centralized in the hands of a few vendors, 0.01% self-hosted) doesn’t make them any less objectionable. It simply is none of their fucking business. Dear Mozilla, you’re the bartender in town and I love the drinks you make. But I don’t want you chaperoning all of my dates. Really, no thanks.
Let’s ask ourselves whether we might have given up, while trying to “fix” the so-called problem of authentication, what the web is supposed to be: highly decentralized and therefore extremely resilient to manipulation by any single entity. Are we really so scared of forgotten usernames and unencrypted password leaks that we need to invite unrelated third parties to sign our keys? Isn’t that eerily similar to giving up liberty for a little security? The last time we tried that, we ended up with compromised CAs signing SSL certificates for dictatorial regimes.
Come to think of it, the idea that any online service should be able to vouch for anyone’s identity for any purpose other than authenticating with said service and/or its affiliates is a very strange one. The ability to vouch for someone’s identity is a tremendous power, with a great deal of associated responsibilities that no single entity is qualified to assume. The only exception that I can think of is the state, and even then only out of sheer necessity.
Honorary mention: Khan Academy, which gives you a choice between Facebook, Google, and their own old-fashioned login system. Guess what, the last option offers the best privacy and requires the least number of clicks.