How Facebook saved some Gawker subscribers

The data breach at Gawker earlier this week had many people scrambling to figure out if their data had been exposed and resetting passwords on other sites just in case they had reused their password there.

The only Gawker subscribers who appeared to have been safe were those who logged in to the site using Login with Facebook (formerly called Facebook Connect), a single sign-on authentication service that lets you use one login for multiple sites as long as you have a Facebook account.

Basically, it works by allowing you to sign in to a Web site using your Facebook username and password. If your browser stores cookies, the site will automatically log you in every time you visit it.

There are similar single sign-on services, including OpenID, Microsoft Passport, and Twitter OAuth, which allows people to use apps without the apps storing the user password. But the popularity of Facebook has pushed its login service to be used on more than 2 million sites.

One hitch for the Gawker users was that people who didn't have Facebook accounts couldn't use the Login for Facebook option. Facebook addressed that with a new registration tool announced yesterday that allows Web sites to use Login for Facebook even if the subscriber doesn't have a Facebook account. The tool fills in the registration window with information for Facebook users who are logged in at the time. Non-Facebook users can sign up for the site manually.

For users who want convenience, single sign-on is a good option. Not only does it allow them to quickly access their favorite Web sites and services without having to remember more than one password, but Login for Facebook also allows them to easily share their Facebook information between the different sites and interact with their Facebook friends on the non-Facebook site.

Some people may not want their Facebook profile information to be shared with other sites. When they are signing up the first time via Login for Facebook a window explains exactly what information the site will access in the user's Facebook account.

For Web site owners, Login for Facebook and other single sign-in options relieve them of the burden of having to store and manage user passwords and do so securely. As Gawker learned, this is not an easy feat.

"Independent Web site developers can leverage an existing user database of a large service, like Facebook, and get access to the data the users have stored there," said Andrew Walls, research director at Gartner. "Reducing the number of places users store user names and passwords makes sense."

But there is the concern that such services are even more attractive targets for attackers and data thieves. The operator of the single sign-on service needs to be expert at defending the data or it will lose the confidence of its users, Walls said.

"Who do you trust more in terms of security performance? Do you trust Gawker or any Web site out there, or Facebook?" he asked rhetorically. "Many people [500 million users] have expressed trust in Facebook and its ability to secure personal information, so I think Facebook is well positioned to make the claim that at the moment they are more secure than most Web sites out there."

Security a la Facebook
Facebook has more than 150 people dedicated to security and spends "tens of millions of dollars" a year on securing the data and accounts of its users, a spokesman said. Every new engineer or engineering manager goes through a six-week "boot camp" in which they learn about how to do secure coding and get training in "defense against the dark arts."

Meanwhile, all code goes through a rigorous review process and uses specific techniques to prevent common cross-site scripting and cross-site request forgery attacks, according to the Facebook spokesman. Passwords are stored in a way that allows Facebook to authenticate users with passwords without actually storing the passwords using what is called "cryptographic hash functions."

"As an Internet company, we want people to deal with passwords as little as possible. The more you use a password the more opportunities for it to be compromised," Ryan McGeehan, manager of Facebook's security incident response team, told CNET. "On the system side, the Web site is not in the business of protecting user data. That burden is on us."

Another potential problem for Web sites is that an outage at Facebook could affect the ability for people to log in on the other sites using Login for Facebook. This is similar to how malware or outages with Twitter's automated feed can ripple out and affect other sites that integrate Twitter feeds directly onto their pages.

"Just like any Web site, Facebook occasionally experiences downtime, and this downtime may also result in Facebook Platform (including Login with Facebook) going down," a Facebook spokesman said. "We work hard to ensure that these instances are rare, and when they do happen, that they're fixed quickly."

Small mom-and-pop Web sites may be glad to outsource the authentication of users to Facebook, but other companies won't necessarily want to, especially if they are competing with the social-networking giant for eyeballs and loyalty. "The Googles and the Amazons would all love to become the identity broker for the Web," Walls said.

Single sign-on services are still at risk of being targets of phishing attacks, even more so because the passwords are the keys to so many sites. Facebook advises people to make sure that when they are signing up via Login for Facebook on a site that a window pops up in a new browser and that it includes a legitimate Facebook.com Web address. Otherwise, the user could fall prey to a scam that looks like a legitimate Login for Facebook implementation but is instead a ruse to steal log in information.

Because so many people re-use passwords and phishing attacks are ubiquitous, Gartner analyst John Pescatore says sites would be better off looking at authentication that doesn't rely on just passwords. One option is a two-step verification process like the one Google announced a few months ago that sends a security code to a user's smartphone to allow them to log in after providing a password.

"I think it would be a much better advance for the state of the Internet if we tried out alternatives to reusable passwords rather than just trying to find bigger and bigger places to store them," he said.