Facebook launched a platform that lets third-party developers add Facebook applications. This is visionary, and it’s very very cool (though I’m not sure it’s the revolution everyone is talking about.) The problem, of course, is authentication. Take a look at the Zoho Facebook application. Zoho is a separate company. They have their own accounts. So now they have to associate an existing Facebook account with an existing Zoho account. The only way they can do this currently is to ask for the Zoho password from within the Zoho Facebook application, which is served from facebook.com. So now verifying the URL before you enter a password doesn’t mean anything. You have to trust facebook, and by that token all of its third-party developers, with all of your passwords. Great!
People have been saying this for years, but now the rubber meets the road for real: we need some kind of authentication infrastructure. And guess what… OpenID won’t cut it here, because the issue is to find some way to provide Facebook with a token that it can forward to Zoho that will let Zoho authenticate the user, and since OpenID only supports direct authentication rather than cryptographic-token-mediated authentication, it won’t work. I’m guessing CardSpace won’t work either, although I don’t know it well enough to say for sure.
No, what’s positively fascinating about this is that there’s a need for some fairly complex authentication mechanism, where the user is specifically asked to associate two different accounts on two different systems. The right solution almost certainly requires cryptographic tokens. I’m not sure what it will take, but we’d better think fast, because this kind of application is precipitating the end of the password authentication concept.