I was happy to read Dmitry Shapiro’s blog post about Altly, a startup that plans to challenge Facebook on privacy grounds. We need competitors to Facebook for all the reasons mentioned by Dmitry, plus a few others.
Facebook uses OAuth to implement social login (“Facebook Connect”, now called “Login with Facebook”). OAuth is insecure, because it allows an authorization code to be sent in the clear from Facebook to the relying party (the application or site that features the Login with Facebook button). If you log in with Facebook in a cafe, an attacker may be able to intercept the code and use it to impersonate you.
Another problem with OAuth is that it requires prior registration of the relying party with Facebook. This means that, if Login with Facebook becomes ubiquitous, Facebook will have the unchecked power to effectively disable most Web applications by revoking their registrations.
The registration requirement is also an additional barrier to entry for Facebook competitors such as Altly. To implement “Login with Altly” competitively, Altly will have to persuade over a million sites and applications to register with it.
To address this competitive barrier we have suggested a social login protocol, called PKAuth, that does not require prior registration. We would be happy to work with Altly and any other social site (including Facebook) that would be interested in implementing PKAuth, writing open source libraries for relying parties, and codifying the protocol as a Web standard.