Am I the only one, or is this a strange email from Facebook?
I mean, “lost”?? No backups?
I hear you. This must be fake – a phishing email, right?
No https on the page I'm directed to, either… The average user doesn't have a chance when figuring out whether this is legit or not. So guess what. He or she won't even try.
I'll forget and forgive the “loss”, but following it up by putting all their users through a sequence of steps that teaches them how to be phished really stinks.
Seems to drive home the main premise of Information Cards set forth in the Laws of Identity:
Hundreds of millions of people have been trained to accept anything any site wants to throw at them as being the “normal way” to conduct business online. They have been taught to type their names,
secret passwords and personal identifying information into almost any input form that appears on their screen.
There is no consistent and comprehensible framework allowing them to evaluate the authenticity of the sites they visit, and they don’t have a reliable way of knowing when they are disclosing private information to illegitimate parties.
Can I just point out that the Live ID login page also doesn't have https by default (you can only get to the https login site by clicking a well hidden link, which I am sure 90% of average users will never do). How bad is the difference? The content within Facebook might be valuable, but compared to the content protected by Live ID it is laughable, a heavy user of the Microsoft services might have email, his website, his financial data, his health data, access to software worht thousands of dollars and what have you all tied to this one Live ID.
So, the situation at Live ID seems much, much worse to me. Maybe point that out first before you go after Facebook? 🙂
[Kim responds]: I agree that the default should be to use https for password entry. I hope Live ID will move towards a different default ASAP – it's difficult and expensive when you do a billion authentications a day. It's a problem across the industry and I'm trying to change it everywhere. I'm not a Facebook hater – I use it and like it.
What I was saying in my post was that they “lost” my profile and sent me an email that it seemed MUST be a phishing email. You would think at that point they could turn on the https while they recovered. But no, they didn't use https when I was redirected from the wierd email. It just pushed me over the edge. If it looks like I'm the pot calling the kettle black, then I guess I need more time off.
Oh, and I don't know how many times I have changed the profile setting on this blog to display my nickname and NOT my full name on comments, now it again used my full name… Can you please change it to davidacoder? This is by the way also quite a privacy problem, your blog software gives me the impression that it will only display my nickname (after all, I picked that setting) to the world, and then always shows my full name. Not great.
[Kim responds] Funny – when I look at your comment, without having changed anything, whether I'm logged in or not I see the posting as being by “davidacoder”. Here is a screen capture.. So I don't understand the issue. Does it look different from your browser??
That is a bizarre email from Facebook. Does sound fishy but clearly its not. Odd.
On a totally unrelated note, what's the deal between the Geneva Framework and OpenID. It seems like there's no relation but I thought Microsoft was going to work on making those two MORE connected. I'm a bit confused on what the plan is to make them work together better.
I just realized what davidacoder was trying to tell me. And he's right. I'll look into it.