By Charles Miller
For about the last five years many thousands of web sites have been offering a convenience known variously as “trusted authentication” or “social login” or “social sign-in” in order to reduce the time and effort required of users to log into that web site. For those readers not familiar with the terms, these refer to web sites such as login.yahoo.com where you will see buttons labeled “Log in with” followed by Facebook, Google, Twitter, or others. If the user wants to log into their Yahoo email account they may click on the Facebook icon to be presented a dialog box where they may enter their Facebook username and password. This process is secure because Yahoo cannot see the password given to Facebook. They will then be returned to the Yahoo site which says in effect “If that login was good enough for Facebook then that is good enough for Yahoo too.” One thing on which most users will agree is that the fewer passwords they have to remember the better.
The convenience of being able to share information cannot be denied. If you shop online you may find yourself wanting to order something from a web site you have never visited before and might not again. Filling in the sometimes lengthy questionnaire to open a new account can be a time-consuming hassle, but if that merchant offers the opportunity to “click here to logon with PayPal” then all you need do is that. PayPal can then share your name, shipping address, phone, etc. with the vendor and (hopefully, allegedly) warn you if that vendor is not entirely legitimate. This is convenient for you, and also for the vendor who knows you have already gone through the validation process at PayPal.
This data portability technology allows the websites to extend some social networking features between sites. This can include full name, wall posts, friend information, groups, events, and more. By gaining access to the user’s friends list, other websites are able to show which of your friends have also accessed the website. The website can also update the user’s Facebook wall and news feed with their activities. Dynamic security is supposed to ensure the same privacy setting you use on the authenticating web site will also be enforced on the new web site you log onto. Facebook says removing a friend connection will be automatically updated on the other external websites.
This practice of logging in using trusted authentication seems to be best suited and more often found on what I term “low value” web sites where security is not a prime concern. My intention is not for that to be pejorative but simply to express that there are non-critical web sites I visit that otherwise would require setting up a new account in order to access. Making it easier for me is beneficial for all, especially because the web site can be assured of receiving accurate information for its account records whereas if I had been forced to fill in their questionnaire I might have populated it with a bunch of gibberish. To date I have not found a single high value site, such as a banking site, that offers to let customers sign in with their Russian email credentials from Mail.ru or the social network 校内网 in China, both of which offer trusted authentication.
Sooner or later somebody is bound to ask what is the real reason Google, Facebook, Twitter and the others would want to provide this service to their users. All the aforementioned companies are in the business of monetizing the data they collect and the entire system is designed to provide more and more reliable demographic information about you to them. They would like to keep you logged in to their site so that as you surf the web they can keep track of everywhere you go online, everything you see, and everything you do. That’s all.
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now practically a full-time resident. He may be contacted at 044-415-101-8528 or email FAQ8 (at) SMAguru.com.