Why I should NOT use Facebook Connect or OpenId for logging in users?

Question

Jeff Atwood argues that we should stop asking users to register on our websites because we should rather use their "internet driver's license -- that is, [their] existing Twitter, Facebook, Google, or OpenID credentials" for authenticating them.

While I am beginning to think that he may be right, I could not yet decide and I am looking for arguments against letting foreign sites gain control over personal web pages.

Do you see any dangers of authenticating users like this?

Answer 1

I think using IDs from any of these big names are ok as long as you don't provide service that needs an endpoint like email, IM etc.

However, OpenID is just not trust-worthy. If you have any doubts, try this OpenID

http://opennoid.appspot.com/anyid

This is a disposable ID that doesn't require a password to login.

Answer 2

if you want a more in depth response based from someone who has dealt with this technology before, you should listen to the recent .NET Rocks with Rob Connery which was precisely about this topic. http://www.dotnetrocks.com/default.aspx?showNum=626

After listening to it I decided to NOT use OpenID on my site.

Here is the link to Rob's blog post on the subject: http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened

Answer 3

Here are a number of reasons why not, although each comes with caveats:

• If you only authenticate with one external service, anyone who doesn't use that service cannot use yours.
• If your external authentication service goes down, users won't be able to use yours until theirs comes back up; similarly, slowdowns in their authentication server will also affect you.
• Requiring users to authenticate with another service requires them to accept that service's EULA, which may be a turnoff for some; similarly, it ties you morally to whatever decisions your authenticating service makes. In particular it can make you appear to be a satellite, spinoff or affiliate of the auth site, since users have to see their logo every time they try to use your service.
• The external auth domain gets a perfect snapshot of your viewership, giving them a lot of insight into what your company is doing. Since their analytical tools and staff are generally top-notch, they may conceivably know more about your user base than you do.

The major way to avoid this problem is to allow people to use the service of their choice, instead of a single service. If you are limited to developing one, for development time constraints, using OpenID is the best bet because many other authentication domains also qualify as OpenIDs, and therefore ameliorates most of the above problems.