Hacker News new | past | comments | ask | show | jobs | submit login
Facebook's Internet identity monopoly (somebits.com)
77 points by colinprince on June 19, 2011 | hide | past | favorite | 45 comments



I highly recommend taking a look at Facebook's Yishan Wong giving his views on "What's wrong with OpenID". http://www.quora.com/OpenID/What-s-wrong-with-OpenID

Some quotes:

OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.

A nerd will wrinkle up his nose at these [non-OpenID] solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways.

Let's think about that one for a second. I find this rather typical of Facebook's attitude in general—a monomaniacal focus on increasing engagement or whatever metrics, a complete disregard for externalities and an arrogant rejection of any sort of social responsibility. This is what makes them so successful as well as so dangerous to the rest of the ecosystem.


An arrogant rejection that seems misplaced.

He talks about a problem that most people don't have, and then goes on to state nerds turn a nose up at "security vulnerabilities".

At the core, it's a problem that most people do in fact have, it just is not presented to them in a fashion that is easy to digest, or even tasty enough to consider ordering from a menu. The typical computer user doesn't think about what happens to their password in transit, they enter it, hit enter and say a short prayer that they didn't typo so they can get where they want to go, and get on with life.

If the openID marketing initiative focused MORE on the "stop remembering passwords" a little harder than they had, maybe it'd still be relevant outside of tech circles.

And furthermore, building on the "solution [...] to a problem that most people don't really have"

Didn't Facebook essentially go about solving that "problem" themselves, albeit packaged up in a nice wrapper with your friends and social profile as the adhesive tape?


OpenID was failed from the start, and that's ignoring all the problems that happened around the project (e.g. at SXIP).

For one, it was too limited in scope: it assumed it would operate only within a traditional browser, that cookies are the only place you ever need to store information and that the user is always there to authorize every single action. You can't use OpenID to delegate or automate anything and OpenID just doesn't work well e.g. in desktop apps or on mobile devices. It's locked to one particular interaction flow, and it's not even a good one.

For another, the whole thing was designed by and for people who run websites. 99.99% of the world does not have their own personal domain and the idea of using a URL as their identity was just confusing and weird. Features like delegating your identity using HTML Meta tags on your site are misguided toys for tech nerds with no real world relevance.

Finally, the parts of OpenID that would actually be interesting, i.e. the selective, automatic sharing of information between sites to avoid long signups, never went anywhere, ensuring there would be no actual benefit for the end user for using OpenID.

Facebook didn't just bring a solution that solved all of this, with Facebook Connect and OpenGraph, but they also delivered the user-base to go with it. Think of all the bad privacy PR that Facebook has gotten... has it dented their image? Nope. Because FB connect is too valuable in keeping the barrier of entry low. When given the option, people prefer FB connect.

The point about security isn't that it doesn't matter, but that OpenID is a completely secure solution that nobody really wants to use. Anyone who knows crypto can design a secure handshake, but it takes a lot more to design something that people actually want to use.


Facebook didn't just bring a solution that solved all of this, with Facebook Connect and OpenGraph, but they also delivered the user-base to go with it. Think of all the bad privacy PR that Facebook has gotten... has it dented their image? Nope. Because FB connect is too valuable in keeping the barrier of entry low. When given the option, people prefer FB connect.

EXCELLENT rebuttal, I hadn't thought to look at FB Connect like this with my original comment.


A rejection that's also just flat wrong in some places. Sure, the first OpenID-enabled site you visit asks you to set up an account on a 3rd-party service. Once you've done that, all subsequent OpenID sites require no new accounts. So it's a one-time cost.


The difference between theory and practice is that in theory it works, in practice it doesn't. Even the early adopters stopped using OpenID.


The thing that amuses me is the more Facebook attempts to become the monolithic center of identity online, the more people I know have multiple accounts or simply stop using it altogether. Of late I keep hearing of people setting up 'throw away' Facebook accounts for services that require it. A single identity is fundamentally at odds with the way people work, the more this is pushed, the more people will shy away or hack around it and in the process the more damage Facebook will do to it's much-vaunted social graph.


I am not sure. It might be true for developers, but most people don't care that much. They just want to sign in, fast.


That depends on the service. There are plenty of such where you just want to sign in, fast, and don't care that you appear as your Facebook personality on that service.

But there are services where I think people care, where having their activites on that service tied to their Facebook personality is something they don't want. The obiovus example is dating sites, but also simple things like blog comments are affected.

Techcrunch had an article on how their comments "got better" after switching to Facebook Connect, but they also noted that there were much more positive comments, and far fewer negative ones, much less constructive criticism, because people don't want to appear negative in front of their Facebook friends.

I think a lot of people care enough about anonymity or at least pseudonymity, so the more services that require you to have a Facebook account, the more fake accounts will be created. The more they tighten their grip, the more users will slip through their fingers...


In real life you act different depending on the type of person you are talking to. You are basically someone else to the parent / teacher / friend / shopowner. Facebook wants you to always be the same person, and people realize how uncomfortable that actually is.


Is the "account" unity so relevant for Facebook? If you use the same IP and same password, and have regular login patterns, it's probably easy to identify same people having multiple accounts. I think Google already can do that BTW.


Facebook Connect is winning for more reasons than a great consumer experience. It is also a great publisher experience.

1) Facebook Connect provide access to real identity (as opposed to an anonymous token) and they actively try and weed out bad actors 2) Facebook social plugins are easier to use than OpenID 3) Facebook Connect provides distribution of content to people that trust the user (on average 150) 4) The users Facebook profile provides usable insights to the publisher for targeting and follow on marketing

In order for something like OpenID, Google Login, Yahoo Login, Twitter @anywhere, to beat Facebook they need to provide a competitive set of functionality to the publisher and equal ease of use to the end user.


I've got 34 fake Facebook accounts now, and counting. They all have "lives", they all have friends, and so far Facebook hasn't removed a single one of them. None of them are real, none of them have phone numbers. Some of them are used simply to prove a point to various friends that they don't check who they friend too closely, and I use them for websites that require Facebook logins to comment.


But could you automate creation of Facebook accounts with fake real-looking data?

As it stands, email registrations can be automated to the point that its only use on popular site is to confirm the being able to receive emails.


i think facebook has tacitly allowed these types of accounts for testing/anonymity etc. you probably wont be shut down unless you do something egregious.


1) It provides access to real identity as much as a fake e-mail account. 2) There are plenty of easy to use pluggable OpenID widgets. 3) Not true. The content is just drowned out by all the other noise generated by all the other publishers clamoring for attention. 4) 5 items from my Amazon shopping list provide more insight than my entire facebook profile.

Facebook Connect is no better than the open alternatives to identity management but as usual the open alternatives have a PR problem because the user experience is just as seamless but somehow publishers are convinced that flooding the user's facebook stream is going to bring them traffic.


The user experience for OpenID is NOT just as seamless as Facebook Connect, and to claim as such is absurd.


Check out how stackexchange handles the experience and then we'll see who's absurd nub.


1) StackExchange - Identity (username/password) that is site-specific to utilize an individual website. This has typically been standard practice for the majority of the web's existence. 2) Google - Identity connected to Gmail and/or Google services. 3) Yahoo - Identity connected to Yahoo Mail and/or Yahoo services. 4) Facebook - Identity connected to social networking service. 5) myOpenID - Identity connected to... what exactly?

People have a reason to use their accounts on Gmail, Yahoo Mail, Hotmail/Live, Facebook, Twitter, and etc. The reason why Facebook Connect has been successful is that it is an extension of an identity that many people already use on a daily basis. As long as OpenID remains just an identity provider, it will continue to lose ground. This will especially be the case in the realm of mobile, where cell phones can provide person-specific solutions in a manner that desktops so far cannot.

1) Apple was choosing between Facebook Connect and Twitter Connect for their account integration. 2) Android will naturally use Google accounts as a first choice. 3) Windows Phone will primarily use Live accounts. 4) HP/Palm and RIM need to figure out what they are going to do in this space. 5) Facebook has the ability to leverage Android for a Facebook Phone if they so choose. Currently they are instead trying to become ubiquitous across all platforms. 6) OpenID is nowhere to be found.

We will continue to see integration of this nature across all platforms. OpenID simply does not have the leverage to be successful in the long run. They're still fighting the battle in the browser, while the war is already moving higher up to the device itself.


> People have a reason to use their accounts on Gmail, Yahoo Mail, Hotmail/Live, Facebook, Twitter, and etc. […] As long as OpenID remains just an identity provider, it will continue to lose ground.

I'm not sure I understand what you're saying here. TTBOMK, Google, Yahoo!, and Windows Live ID are all also OpenID providers. E.g., the Isotropic online Dominion server allows users to “log in with a Google or Yahoo! account” with an OpenID backend.

So if your thesis is that people reject OpenID because they can't extend their identities from those existing accounts, I don't see how that's the case, unless the OPs have restrictions I'm unaware of. (People might not know they can identify themselves with those accounts, which I think is a real problem, but a separate one.)


My thesis is not that people reject OpenID for that reason, it's that OpenID exists as an ethereal add-on to other services. That is to say: it does not exist in and of itself. Facebook Connect is an extension of my Facebook identity. Twitter Connect is an extension of my Twitter identity. OpenID is NOT simply an extension of the listed providers in the same manner.

I'll illustrate the point as such: My username is Sayter. 1) Go find my Facebook. 2) Then go find my Twitter. 3) Now go find my OpenID. You immediately know where to go for the first two, and in fact can type in the url's for my Facebook and Twitter accounts directly. But how about my OpenID? Is it my Gmail? Yahoo account? Windows Live account? All of the above? Whichever I use the most? Or is it the OpenID that I have on one my domains? My identity for OpenID is fragmented (I'm not even sure how many I have, honestly) and does not exist in a single space, while Facebook and Twitter do exist in single spaces (assuming I only have one Facebook/Twitter of course, but that possibility was simplified for the sake of argument).

That is a non-trivial problem that Facebook and Twitter have (mostly) solved, while OpenID is still struggling with it.


You sir are full of hot air. All those services have as many fake and malicious users as they do real ones and claiming a user's digital presence in sandboxes owned by corporate entities is an extension of their real identity does not give enough credit to the users of those sandboxes.


Actually he's right. The typical user (which none of us here are) has one account on FB (and "maybe" a Twitter account). That account they use to connect to friends, family, whatever. They see a Facebook Connect logo on some site they want to comment on, they gonna use what's familiar.


Perception is reality.


I intend to retain my independence on the Internet! None of this "cloud" stuff for me! I will have nothing to do with Facebook, and their identity monopoly. I would much rather just start my own blog:

https://en.wordpress.com/signup/

My WordPress.com site can always be transferred to a host of my choosing (especially if I register a similar domain name) (and not at giant GoDaddy).

I simply will not post on sites that require Facebook, or Blogger, or Yahoo! accounts to log in. Period.

Except for banking (which I try to avoid online) and really special logins, I simply use one very-hard-to-crack password for everything, like "bluefrogsridelogsatsunset". People argue about how hard it is to crack passwords, and what kinds of passwords are secure, but I'm pretty sure that no one (except perhaps the government) can really crack a password such as the one above. This solution is good enough for me!


> I simply use one very-hard-to-crack password for everything, like "bluefrogsridelogsatsunset".

I suggest using the master password to manage other passwords (Browser might have a password manager, Keypass or other tons password managers). Sony, Newegg, Facebook and some other companies can see passwords in plain text which could be used in conjunction with your email or similar contact methods to infiltrate your account.


I don't use a "generic" password to register at companies; they tend to require credit card transactions, etc.

I actually do use KeePass for several things, and I think it really is more secure than my "simple solution." Plus it keeps my data in a nifty portable "*.kdb" file. But it's just a bit clumsier to utilize. I don't use the Firefox password manager, which updates often; who knows what might happen when it does? KeePass is available at:

http://keepass.info/


The market share of Facebook's identity system is troubling to many folks, not the least of which is Google.

OpenID has proven to be too damn complicated. Mortals can't understand it.

Mozilla's Account Manager seems like an awesome solution: http://hacks.mozilla.org/2010/04/account-manager-coming-to-f...

It seems to me that Google, with it's popular browser and web services, is ideally positioned to popularize an account manager protocol. And with the heated competition with Facebook, they've got just the right motivations.


> OpenID has proven to be too damn complicated. Mortals can't understand it.

I think it's more that mortals see no reason to bother understanding it. It's conceivable that lulzsec etc might help change that.


TL;DR - agreed, I expect the government will eventually force Facebook to open up and support a common federated social networking standard.

As spullara explains below, Facebook's monopoly has come because Facebook Connect is an all-round better product. Publishers get access to easy syndication ("oh, you just joined XYZ? Here are some badges; want to share them on Facebook and let your friends know about us?") as well as higher-quality users overall (Facebook accounts tend to be real). Users get a single login from a service they (mostly) trust and easy integration with their social network ("oh, John's using turntable.fm too? Sweet!").

The brilliance of Facebook Connect is the tie-in of syndication with identity. Logging in with Facebook is a better experience than just registering, for all parties involved. This is why Facebook Connect works and why MSN Passport failed a decade ago.

The monopoly side of things is going to become a problem in the coming years; I for one expect federal intervention in the form of mandating a common federated social networking platform (a la, but not necessarily, via the protocols developed by diaspora). Federation and decentralization is what happened with phones and with email; if Facebook/social networking-style communication is the next generation, it seems like a reasonable next step.

Most users will never tell the difference, at first - Facebook will remain their default client both for login and for reading friends' profiles and news feed. With time, however, competitors will begin to emerge and offer alternate interfaces for either news feed filtration or for identity, opening up space for innovation in a place once dominated by one or more entrenched players (Firefox vs IE, Gmail vs Hotmail/Yahoo/AOL). Early adopters will be using social networking tools but will be able to seamlessly interoperate with people still on Facebook.

Perhaps I'm naively optimistic, but I'd be excited for a future like that. For now, though, I'll stick to Facebook Connect - the bigger it gets, the more likely regulation will occur.


I expect the government will eventually force Facebook to open up and support a common federated social networking standard

Seriously? This will never, ever happen.

Ever, ever, ever.

That's just not how life works. Or businesses. Or how the US government works. It's the total antithesis to the American ideals. It wouldn't even have a chance of happening in social democracies in Europe, let alone America.

Ever.


Ma-Bell breakup? Standard Oil breakup?

I fail to see how things like that never ever happen. It doesn't happen in quite the same way, but the fact is, anti-trust isn't antithesis to the American ideals. Allowing one company a position where it can toss abuses both upstream and downstream of its supply chains doesn't mesh at all with a market interested system.


Ma-Bell and Standard Oil were essential services, Facebook is entertainment.


I don't see an Internet wide login and identity service as related to the entertainment industry any more it is to many others. Furthermore, I'm fairly certain that facebook's business, while it facilitates entertainers, is not actually engaged in entertainment. To argue that its different from Ma-Bell in its basic feature, connecting people, I feel is a complete misunderstanding of the service.

Of course, my sister uses her telephone connection for entertainment as well..


I think your taking my "entertainment" to mean the industry and not a category. Facebook is not an essential service of the internet. It is not the only way to communicate like Ma Bell was. It is not a dictating force in the economy like Standard Oils was.


I'm going to take issue with both of those comparisons. Standard Oil was only a dictating force in the economy for a short while, after it took over every other oil distribution company. Oil is a dictating force, the company was simply an outgrowth of scarcity rent.

Ma-Bell was in fact, not the only way to communicate. That's like saying Phones were the only way people got in touch. Its simply and patently wrong. as far as industries that did Ma-Bell's job, you've the post, television, and radio.


The post cannot be used to get the police or anyone else in a timely manner. Television and radio are broadcast media and only really go one way. Ma-Bell was it.

Cars didn't run on something Standard Oil did not sell.


I tend to agree with you, but it's important to remember that you should never say never.

Stranger (and more asinine) things have happened.


I’ve always found OpenID’s lack of similarity to email adresses immensely stupid. Email adresses is infrastructure that isn’t going away any time soon, and your grandma might have had a chance of actually using OpenID if she didn’t have to type something long and completely unfamiliar that last time I checked necessarily begins with http://.


whenever possible I create a separate account for each web service. I'm very aware of the downsides of managing separate accounts and logins but I refuse to host my whole identity with one company. I just doesn't seem right to entrust most of my digital life into the hands of a single private or public company. there shouldn't be a single institution which holds that kind of information - not even a government.


One group wants Facebook to control identity, another OpenID, another Twitter, and another wants the federal government to impose identity requirements.

They all have in common that individuals no longer have control over their own identity. Instead they must cede power over their lives to others who pull the strings.

There is no need for identity providers. The entire concept is totalitarian, offensive and horrific.


If we think about real life, you need an identity for things like passports, state benefits and some other stuff but with normal things like shopping you don't need an ID at all.

So if I go to a shop and buy a tshirt then I have done that pretty much anonymously but if I buy on a website that requires a Facebook connect login then I have given way more information about myself.


OpenID had its chance.


Whenever I see a facebook login required for site access, I decline to use that site.


Can we really say it's a "monopoly"? I would agree if users had been brainwashed to the point where they would refuse using anything else than Facebook Connect, but, as the authors mentions, there are a lot of possible alternatives for them to use (or they can roll their own).

There is no real Facebook monopoly imposed on website publishers -- there is just a monopoly imposed on the users of those websites where Facebook connect is the only option or the only visible option. I agree that it's a concern, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: