Every article that mentions a company tying their authentication to Facebook Connect unleashes a horde of people saying "I'm going to cancel my account", or "this is the worst idea for their business ever" ..<p>Why is having a central authentication system a bad idea? How many times have we seen articles where companies are storing information (password included) in plain text or a weak cipher? How much developer time is wasted rebuilding authentication systems? How much user productivity is lost trying to remember passwords if they use different ones (or lost managing things through a tool like 1password)? How many security breaches are caused because people use the same password across many sites?<p>Facebook Connect is a good thing. I understand that the data mining and privacy concerns. These concerns aren't real, not because Facebook isn't collecting information but because everyone is collecting information so any privacy you have left is an illusion of privacy, not actual privacy.
<i>These concerns aren't real...any privacy you have left is an illusion of privacy, not actual privacy.</i><p>This is Wrong. Our privacy is only actually gone when we consciously decide to give it away, or throw our hands up and say "oh well, there's nothing we can do".<p>Facebook Connect isn't bad in and of itself, and neither is central authentication. But a lot of people understandably don't trust Facebook to manage their identity for them and would prefer to manage it themselves.<p>It's still perfectly possible to maintain reasonable privacy on the web, and any site or product that doesn't at least <i>give me the option</i> of doing so isn't a site or product I'm interested in using.
"These concerns aren't real, not because Facebook isn't collecting information but because everyone is collecting information"<p>So Facebook isn't acting counter to your interests because everyone is acting counter to your interests?
This is mostly a concern for me because I choose not to use Facebook, so I won't be using any business relying on Facebook Connect. Most of my reasons for not using Facebook (aggressive data collection and being pretty open about milking it for their own ends) are even more worrying when applied to an auth system.
You've got a good point about the false sense of security. But the main problem is that Faceobook makes it too easy to make information public and too hard to manage my view into that information. If I could see and edit the info Facebook makes available to other people, I would be much more comfortable.<p>Also, I feel like Facebook isn't just storing my info, but is actively trying to get me to add more info. I feel like I'm being milked for personal information.
<i>Why is having a central authentication system a bad idea?</i><p>Because you give central control to a central authority.<p><i>How many security breaches are caused because people use the same password across many sites?</i><p>Note that a single login to all sites is the same problem as a single password to all the sites. If the password is compromised, all the sites are compromised.<p><i>Facebook Connect is a good thing.</i><p>That conclusion doesn't follow from your remarks.<p>You choose to focus on two objections that are both false objections: that we have a choice between only a central auth system or many weak auth systems, and that we've lost all privacy anyway.<p>I believe the cost of central control over all online activity is higher than the cost of developers learning and implementing strong personally controlled authentication and the cost of educating users what history shows us about ceding too much privacy and autonomy.<p>I worry that Facebook Connect is an actively "bad" thing. I think a good thing would be for OS X Keychain or 1Password style tools to be built into browsers or operating systems to give master key + random auth key functionality to every user with users controlling their own online credentials.<p>It bears repeating:<p><i>Why is having a central authentication system a bad idea?</i><p>Because you give central control to a central authority.
It's because that certain subset of HN commenters are exactly the wrong audience for Facebook Connect. They value privacy over convenience, while Facebook Connect values convenience over privacy.<p>Not every product is for everybody.<p>The angst is probably magnified a bit by the awareness that they're the minority view. When dominant values are different from your own, it makes you uncomfy.
This has to be a trolling attempt.<p>"...any privacy you have is a complete illusion"
"what do you have to hide?"<p>Please people, don't feed the trolls.
Try to see this from a developer's perspective. If Facebook becomes the de facto standard for internet authentication and the de facto standard platform for every service, developers' freedom will be much diminished. And there are many developers (and entrepreneurs) here.
No particular angst, but I do recognize a personal dichotomy. Like many others I react to Facebook changes with initial distrust and sometimes anger but---then I remember that there is nothing there that I did not put there or that my small circle of friends put there. So I back up and re-think my reaction and mostly conclude that it is mostly not 'what', but 'how' that bothers me. No one would ever accuse Facebook (or its leader) of being tactful but then so what? That in of itself is nothing to get wrapped around the axle about. It still bothers me just not the way that it seems to bother others...
I'll just leave this here. Just replace the name Google with Facebook.<p><a href="http://www.securitytube.net/video/1084" rel="nofollow">http://www.securitytube.net/video/1084</a>
For me, the problem is that Facebook constantly wants me to overshare, and I feel like I constantly need to pull back. It's never just "authenticate with Facebook", it's "Authenticate with Facebook, give the app 30 different ways to violate my privacy, then make a bee-line for the App Settings panel to turn off all the permissions I'd rather not use".