I recommend the article Identity & Trust: The Keys to the Game in Winning the Hearts (and Wallets) of the Consumer by Allison Cerra. Allison comes from a telecom background and had an early perspective on the value of what she calls the 3Ps. These are presentation (how a consumer constructs and manages an ideal image of himself), protection (data privacy) and preference (helping a consumer make choices). She speaks of the gold mine of opportunity in targeting experiences and applications for consumers.
The capabilities of today’s browsers are not sufficient for meeting the security needs of web applications requiring authentication and payments. One of the two primary deficiencies is that content from one site cannot be adequately sandbox when executed on a relying web site. Yet embedding such third party micro-apps has become commonplace. The second deficiency is the reliance on passwords, as is so eloquently described by this post from Eevee.
Take making a PayPal transaction at a merchant web site as an example of the first deficiency. To make this work the merchant web site must redirect the user to PayPal’s web site where he or she then authenticates and authorizes the payment. The user is taken out of context, away from the merchant’s web site, with the possibility of being subject to phishing. This is done because any PayPal code running within the context of the merchant’s site would not be secure: PayPal and the merchant cannot isolate each other’s code.
Facebook put out an infograph revealing that 600,000 identities are compromised per day. That’s a lot of identities. Continuing from a previous post of mine, you could perhaps conclude that Facebook Connect is suitable for casual identity, but not for strong identity.
It’s not that Facebook isn’t trying to protect identities.The infograph reveals an impressive array of risk management tools. Facebook certainly look like they are setting themselves up to be a strong identity provider.
I suggest that the casual value of Facebook to most people is what gets in the way of Facebook acting as a strong identity source. People chose weaker passwords and are less inclined to be serious about account recovery steps then they would be with a bank, PayPal or even email account. A second issue is that users are more susceptible to phishing and spam issues by virtue of Facebook being a popular target with a large attack surface. Not to mention that users may be a little wary of Facebook’s track record of leaky privacy and therefore less willing to give up vital data needed to protect their identity (e.g. cell phone numbers and security questions).
For a further examination of the issue of Facebook identity compromises please read this Sophos article.
Think of it: if you want a strong identity, you want one that is backed by financial information. That makes banks great natural identity providers. But financial institutions don’t seem to be interested in this space, and/or regulatory issues are in the way.
GPUs have brought brute force breaking of any 7 character random alphanumeric password down to a maximum of 17.5 minutes, as compared to 4 days with a CPU. For 8 characters it takes 18.5 hours with a CPU, or 1 year with a CPU. This is what Vijay Devakumar found when he used a GPU card and the free password hash cracker called ighashgpu to crack the NTLM password hash, which is used when logging in to Windows.
There is an interesting post by Om Malik over at GigaOm suggesting how Google can get it mojo back from Facebook.
Taking a slight spin on this, I make the observation that a large part of Facebook's value is your identity and your associations and Facebook's willingness to leverage this information elsewhere on the web (Facebook Connect). Facebook Connect is becoming the most common way to login to other sites. The reputation of your identity is increased by your associations: it requires a consipricy to create a fake Facebook account and have N friends, the presence of which increases your identity's reputation.