Facebook Login Is Gone
As we mentioned, Facebook audited our use of their API and decided our security practices are not sufficient so they suspended our use of their platform. Those of you who regularly signed in with Facebook will need to sign in with your iNat username and password from now on, and if you never set a password, you can try and do so by resetting your password, but that will only work if you had an email address associated with your iNat account. We will be removing the Facebook Login buttons from our software as soon as possible.
We are genuinely sorry if anyone got locked out of their iNat account, but we don't see a way to get back in Facebook's good graces. Hopefully this will serve as a reminder to everyone: please enter a working email address for your iNat account. For those who want more detail, read on:
The Details
Specifically, Facebook's remaining complaints were
- Not proving that we scan our software for security vulnerabilities
- Not having sufficient administrative or technical controls over iNat employees storing Facebook user data on their devices
We actually do scan our software for security vulnerabilities, and we provided Facebook with evidence to that effect, but for reasons we don't understand they considered that evidence to be insufficient. We asked them to explain why our evidence didn't meet their standards, but all they did was point to their documentation, which didn't clarify things for us. Maybe this was a failure of understanding on our part, but we got to the point where all we could do was ask for more clarity, and Facebook was unwiling to provide it.
Storage of Facebook user data is a more legitimate sticking point. Facebook wanted proof of very tight, centralized control over staff devices that store Facebook user data, either technical controls in the form of multi-factor authentication to access devices like staff workstations, or administrative controls like policies about not sharing data and engaging in reasonable security practices. We don't have the capacity to implement the technical controls as we're a small, distributed team who all work from home. We did provide them with the policy evidence they asked for, but they deemed it insufficient, again without explaining how we could improve the policy. Both are kind of moot, though, because we use Facebook user data (like profile pics and usernames) to create public iNat accounts, so really everyone who uses iNat has access to Facebook user data and stores it on their device when they view iNat, and we can't really control that. Furthermore we think it would be unreasonable to prevent someone on staff from, say, downloading an archive of this data to perform an analysis on their laptop, when anyone else on the Internet can do the same by downloading iNat open data.
Ultimately, Facebook's security requirements seem to apply to larger organizations than ours with more centralized control. I suspect we got unlucky in getting audited by Facebook, but it happened, we tried to answer all of their questions, and it wasn't enough. We have been wanting to remove Facebook login for a long time because it's a headache to manage and it creates confusion when people sign in with Facebook but we can't link their Facebook account to their pre-existing iNat account, but we were hoping to do it in a more gradual and controlled fashion than this. Again, we apologize to everyone who has been inconvenienced.
Comments
That's so ironic!
Well now how am I supposed to link my observations in the metaverse?
Any other method if a person in a rural setting doesn't have email and has no use for email?
@suvarna all of the login methods require email at some level (that was also true for Facebook—you need an email address to use Facebook).
Sure, I understand thanks. Just battled to have the community members set up email during our iNat training last week :-(
Add a Comment