How safe is it to use Facebook as an identity provider? - facebook

We are in the process of creating a new authentication system for all of our company web apps. We are considering allowing users to login via Facebook, Google, Live, etc.
What are your thoughts on safety, privacy and security of allowing Facebook access to our users? People are telling us horror stories of Facebook tracking them even when not logged in to Facebook. Has the world chosen to accept ease of login over privacy protections? Are these fears all myths?

Safety depends very much on the code as you implement it. I prefer to avoid logging in people with Twitter, because it is very easy to create a fake account on Twitter. For now, I am with Facebook and Google, and I've noticed nothing particularly "dangerous" in terms of security.
The odd phenomenon (at least as far as my experience goes) is that, when presented with two options, i.e., the possibility to sign up with a "stardard form" that requires a verification email (long procedure) and the possibility to click a button and login with Google, Yahoo, or Facebook (fast and easy), users prefer providing their information with the form, the good old way. It must be due to rumors about the privacy breach you mention.
I don't think I can dismiss or confirm such myths. The sure thing is that the Google+ button (the +1 button to be more specific), says hi if you visit any site that has it while you're logged in, and greets you by name. Google analytics suggests you change your privacy statement if you decide to track the interests and hobbies of visitors. Facebook has insights too. I don't think that these are all myths.
Privacy also depends on what you do with the data you can collect with Google/Facebook/Live login. I have made it a point not to share, sell, use any of the information gathered - not even emails, not even for newsletters (I don't send newsletters). I do understand that this may be pure idealism, and that it doesn't bring you that far if you have to run a business (not sure!), but so far it's working fine, at least for me, and for my users.

Related

Advantages/disadvantages to sign-in with Twitter, Facebook, and Google?

What are the advantages and disadvantages of implementing social sign-on on my website using these providers:
Facebook
Google
Twitter
I've noticed that certain websites employ one and not the other, or two but not three. Is this just a personal decision, or are there specific considerations that I should keep in mind (e.g. Facebook doesn't give me a user's email address, Twitter doesn't give me contact information)?
I had the same thought and problem a while a go, the thing is:
In the end it comes up to you and what Information you need from an User.
A problem for me in the past was that twitter for example doesn't provide a users email address while facebook does. So you must either set up a dummy email or extent the signup so a user must enter his email. etc. etc. etc.
A problem would also be what you application is about, if you count on social interaction and social traffic via shares etc. etc. a social authentication wouldn't be bad.
Google isn't represented much in authentication and interaction because.. you know.. Google+, A network for Google Employees.
Jokes aside, it's 'almost always' a good think to implement Social Authentication for the reason that Signup Rates can slightly increase. Of Course you should judge for your self and define your needs.
Hope that helps a bit.
(I would recommend you give a look at this )

How to authorize Facebook App for basic permissions without showing Authorization Dialog

From the documentation it seems that the user should always authorize the Facebook application even to access basic permissions.
However, sites like Rotten Tomatoes and Clicker.com auto-authorize the logged facebook user without showing the authorization dialog. If you visit one of those sites for the first time they will be able to access your public data without you authorizing it. If I go to the Apps on my facebook settings, an entry will appear showing that I gave access to those applications (but I DID NOT).
How can this be possible? Is it related to the "Instant Personalization" feature for selected partners?
Thanks
Well, I was doing some research and yes, it's all about Instant Personalization.
From Facebook:
We've partnered with a few websites to provide you with great,
personalized experiences the moment you arrive, such as immediately
playing the music you like or displaying friends' reviews. To tailor
your experience, these partners only access public information (like
your name and profile picture) and other information you've made
public.
From one of its partners:
Clicker.com
So -at the time I'm writing this- unless you're a partner of Facebook, you'll have to show the old OAuth dialog.
Hope it helps!

Invite Facebook users at first launch

I'm considering developing an app that asks users to invite friends to participate at first launch, using the Request dialog. (The Request dialog would have a prominent Skip button, in agreement with Facebook policy IV.4.)
Browsing this forum, it appears that there USED to be a "Developer Policy V.4" which, at one time, said this: "You must not prompt users to send invitations, requests, generate notifications, or use other Facebook communication channels immediately after a user allows access or returns to your application."
I no longer see language like that in the policies available here: http://developers.facebook.com/policy/
Does this mean that prompting users to send invitations at first launch is now allowed? Or am I simply overlooking some language in the new policies that forbids this?
I believe this was removed intentionally, as it clearly isn't in their updated developer policies. The only mention of that old policy I can find is here. That post also gives a good reasoning for the old policy:
When a user -- whether returning or
new -- visits your application, you
must allow the user to engage with
your application before asking him/her
to publish a stream story, send out
Requests, or use any other
communication channel. The intention
behind this policy is to give users
the opportunity to meaningfully
interact with an application before
being faced with the decision of
whether to communicate with friends.
The advice is still valid even if the policy is no longer in place - that you should give the user a chance to use and learn about your application before being prompted to share it. However, if you are building a game like Words With Friends where you need to play against one of your Facebook friends, then I think it would be fine (almost necessary) to invite friends right away, and this may be why Facebook removed this from their policy.
I think you will be fine if you prompt a user to send friend invites immediately, provided its not for the purpose of spamming other people to get them to use your app and that you provide a skip option.
Also, its sad that its near impossible to get a response from Facebook like you have seen with their forums.

Social Media Linking

I've done a little searching and was wondering if there is a way to link a users account in our web app with their social media accounts they choose to link (facebook, twitter, etc). i.e. when they log into our web app they are auto logged into facebook, twitter, etc?
I see facebook has an api to login to our web app using their facebook book account but I want it to work the other way around, I want them logged into facebook when they log into their account via our web app.
Thanks,
Ryan
It is definitely possible-from your question I assume you would like to pull data and make actions on behalf of a user? If so, you will need the offline_access permission as well as all the other permissions you will need (check out the list here to see exactly which ones you require). Then, you can trigger a script on your server that tell facebook as soon as the user is logged in to your site, to log in your application as the user as well.
NOTE: You might be going about this in the wrong way. I would advise that you specify a bit more details on what exactly you need the user to be logged in for, and I can (probably) provide you with a decent answer.
EDIT: In response to your question in the comment, Ryan, here is my answer:
You need to divide this problem into 2 different situations-one: your company wants you to write all the code from scratch and don't use what facebook has to offer, in which case you should create a custom login script that enables your users to use their facebook account as the Actual user account in your web app. This is the best solution in my opinion, and is supported by the ever-so-awesome Jeff Atwood. Here's a link to how to do just this, and a tutorial about this also.
Or your company is comfortable with using Facebook's Social Plugins.
Then you should focus on Like Button & Comments : These social plugins are the best way to enable people to create social experiences if they're already logged in.

Getting a visitors Facebook page

Hey guys, this is more of a question out of curiosity, but is it possible to get somebody's Facebook page after they have visited your site?
Was thinking maybe a chain of lookup stuff could be used starting with an IP to eventually perhaps get a name and thus that person's Facebook page. I have also heard you can read somebody's web history, is this true?
If you want something, ask for it.
Seriously: you can use Facebook Authentication {instead of|in addition to} your site's registration/login system. It's really not that hard and it's well documented (pay attention to FB's data policies though: what you can do/must not do with the data, how long you can keep it etc.)
When users sign into your app through FB Auth, they must grant your page (temporary) access to their basic profile (at least, I haven't found the way to only use FB Auth for authentication, without granting access to profile data).
On the other hand, if you are planning to track your site's users on FB without their knowledge and/or consent, there's a word for that: "stalking"; in some places, there's even a penalty of law to go with it. In such case, I would recommend talking to a lawyer first - just out of curiosity ;)