Legitimacy of Social Login


Social Websites have become the largest providers of online identity through the use of Social Login.

When you use Facebook to log into a third party Web site (known in identity circles as a Relying Party), you are participating in an identity regime that has a particular constitutional order and granting it legitimacy by your participation. Further, the Relying Party has also chosen to recognize the legitimacy of Social Login.

The constitutional order of Social Login is found in the terms and conditions in the Contract of Adhesion that Social Login identity providers impose on people and relying parties alike. The system is a "take it or leave it" proposition with terms that can be changed at will by the Social Login identity provider.

A constitutional order makes different promises to those in the system (the users) and those on the outside (the relying parties). Let's examine the promise that Social Login makes:

  • To people Social Login says "use the identity we provide to you and we will make logging into sites you visit easy."
  • To relying parties, Social Login promises "use the identity we provide and trust us to accurately authenticate your users and we will reduce your costs, increase flexibility, and give you more accurate information about your users."

Social Login not Accepted by All#

As successful as Social Login has been, there are a lot of places that social login has failed to penetrate. By and large, financial and health care institutions, for example, have not joined in to use Social Login. Why is this?

A constitutional theorist would say that they've failed the legitimacy test. Some relying parties and some people (either completely or for some use cases) have failed to yield their sovereignty to them. Legitimacy ultimately rests on trust that the regime can keep its promises. When that trust is missing or lost, the regime suffers a legitimacy crisis.

For people, the lack of trust in Social Login might be from fear of Identity Correlation, fear of what data will be shared, or lack of trust in the security of the Social Login platform.

For relying parties, the lack of trust may result from the perception that the identity provider performs insufficient identity proofing or the fear of outsourcing a critical security function (user authentication) to a third party. An additional concern is allowing a third party of have administrative authority for the relying party's users—not being in control of a critical piece of infrastructure. That is, they don't trust that the rules of the game might change arbitrarily based on the fluctuating business demands of the identity provider.[3]

These trust failings ultimately stem from the structure of the Trust Framework, the constitutional order, of Social Login. Because it's based on terms and conditions imposed by the identity provider whose primary business is something else, people and relying parties alike have less confidence in the future state of the identity system. So, it's good enough for some purposes, but not all.

More Information#

There might be more information for this subject on one of the following: