Facebook recently made its largest bug bounty payout to date — $33,500, according to ZDNet — to Brazilian computer engineer Reginaldo Silva for his discovery of a vulnerability during the social network’s usage of OpenID that had the potential of enabling a hacker to take full control of one of its servers.
While many developers believe that opening up access to user emails may corrupt the Facebook Platform ecosystem, the company appears to be moving forward with the transition. Dan Peguine of HonestyBox forwarded us a screenshot last week of a prompt which asks the user to offer their email to the application developer (pictured below). While this is most likely an initial test, it’s clear that Facebook will soon grant developers access to user emails. If things stay on schedule, this could be the largest implementation of an OpenID-like authentication system ever.
Later today Facebook will officially become an OpenID relying party. What does that mean? It means that if you wish to register for Facebook using another OpenID provider, you can. Initially the service will not be completely open though. As Facebook will post later today, “To start, new users can now register for Facebook with their Gmail accounts, and existing users can link their Facebook accounts with any OpenID provider to connect with friends and eliminate the need for multiple sign-ins.”
Yesterday, during their Technology Tasting event, Facebook formally announced support for OpenID. For the past two and a half years I have been following the evolution of OpenID as it has emerged to become the leading standard for digital identity. It hasn’t always been smooth sailing for the standard as one company after the other pledged support yet failed to become a relying party, only issuing parties (meaning you can use their site for logging in to other sites).
Today Facebook is hosting the OpenID User Experience Summit during which a number of people are ultimately discussing the look and feel for OpenID and OAuth and what the user experience for these open standards are. If all of this sounds like gibberish to you, don’t feel bad. The main point here is that there should be standards for users to store their identity anywhere on the web with an identity provider (such as Facebook, MySpace, Yahoo, etc) and then share that information with other sites.
Today, Facebook announced that they have joined the OpenID Foundation. Facebook has long been criticized by those working to build out the “open stack” for not supporting open standards, instead opting to develop their own authorization protocols. Facebook Connect is the current public authentication model that the company is promoting although the Facebook API has provided methods for authentication for a while now.
It was an inevitable that a company would come along an release a standard for single sign on that had the financial backing to go build strong partnerships and more importantly, mainstream buzz. Yesterday Caroline McCarthy highlighted some of the challenges facing OpenID and I have to say the battle between Facebook and the open standards community is about to get pretty fierce.
So far hundreds if not thousand of sites have implemented OpenID but unfortunately most people don’t know what the service is. One of the main reasons? A lack of a centralized public relations team to spread the word and little incentive for any of the participants to join. It’s a great service but it doesn’t have the more than 120 million (or probably 130 million) users that Facebook now has.
Read the rest of this entry »