An outage across apps from Spotify to TikTok to Walmart shows why developers need to quit using their Menlo Park middleman.
Big Tech entices us into trading convenience for our data and privacy. And last Wednesday night, Facebook gave us yet another example of why that trade-off is a problem.
Millions of users for some of the most high-profile apps in the world—including Spotify, Walmart, Venmo and TikTok—were suddenly unable to log on for about 30 minutes.
Because Facebook messed up. Specifically, a piece of Facebook code that was supposed to help users log on broke—and took any app using the code down with it.
But this is not just about one bug. The outage shows why using centralized login protocols from Facebook, or anyone else, are a bad idea. I think developers should use a much more secure and robust solution for user logins called a “zero knowledge decentralized architecture.”
Before I make that case, I have to ask: Why do we live in a world where we’re dependent on Facebook to use our apps anyhow?
The seductive convenience of Facebook Connect
In the mad Silicon Valley rush to add users at all costs, a lot of developers decided to use a third-party login functionality known as Facebook Connect. They thought, “Why force users to stop and create a whole new account to try out our app? They might not bother. We’ll let them log in with their Facebook account just to get them in the door.“
When a startup is burning through $100,000/month+ to get to launch, this type of time-saving shortcut is tempting. I remember those days and I’m sympathetic to the impulse.
The problem with Facebook as your authentication middleman
The Wednesday Facebook outage shows why this trade-off is a bad idea in the long-run. Not only are you dependent on Facebook’s technical competency to keep your app running – you’re also creating a hacker magnet. There’s nothing like holding a centralized database of millions of usernames and passwords to put a giant bullseye on your organization. Even Facebook, with its legions of highly-paid engineers, has not been able to keep its user passwords safe.
Then there’s the fact that this is Facebook we’re talking about—whose entire business model relies on exhaustively tracking people’s every move.
So when you use Facebook Connect, you’re also agreeing to run other pieces of Facebook code on your app. Facebook is presumably using that code to track the activity of your customers—even those who didn’t log in with a Facebook account.
These problems came to a head during the outage. Those mysterious processes that Facebook launches whenever the app starts also mean that even when developers tried a workaround on Wednesday by “commenting out” calls to Facebook in their code, the app still didn’t work. You couldn’t deactivate the Facebook developer kit, even if you tried. Even though it’s your app!
A simple solution with a complicated name: zero-knowledge decentralized architecture
At Dashlane, we think there’s a better way to manage identity, using “zero-knowledge decentralized architecture.” We offer the convenience of a third-party service like the ones offered by Facebook and other tech giants, but without a centralized repository of everyone’s data.
Our servers never hold your Master Password (we have “zero knowledge” of it). If you forget the password, we just delete all of your encrypted passwords. (No one can read them!) Our “zero knowledge” protocol makes our customers an unattractive target for hackers, because it makes hacking so inefficient. Even if there were a successful hack of one customer, that would yield access just to that person’s data, rather than to millions of usernames and passwords. There is no “centralized” computer that holds all of the customer passwords to be hacked.
Unlike proposed blockchain-based solutions, we also can scale as much as we want, because the encryption happens on our client’s machine. We’re effectively leveraging the computing power of our millions of customers, simply by selling you software that runs on your computers.
Developers should resist the temptation to build a giant security hole into their app in the form of an “authentication middleman” like Facebook Connect.
Build your own authentication system. And then rely on the magic of zero knowledge decentralized architecture to protect your customer’s identity. Instead of remembering dozens of passwords, they’ll only need to remember one.