Facebook Rolls Out New App Authentication Flow That Ups Privacy and Transparency
Facebook is granting all developers access to a new application authentication flow today that was announced at f8 last month. Developers can now add a description of their app that will be displayed in a redesigned publishing permissions dialog. Extended permissions have been broken out into a second authentication step that explains why an app needs certain data, and lets users revoke specific permissions. Data about publishing permissions dialog impressions and accepts, sources of users, and extended permissions conversion rates are now included in Facebook’s app Insights analytics tool.
The changes will make it clearer to users what permissions they are granting applications, and give them more control of their privacy. The two-step authentication process could increase app install friction in a way that could hurt app growth. However, in the long-run, the revised authentication flow could increase user confidence in the Platform such that users become more comfortable experimenting with new apps.
Facebook has also changed the way it measures active user counts to only publicly report authenticated users, rather than all users. We’ve written a separate article discussing how this will cause a one-time dip in active user counts that does not actually mean apps have lost users, and explaining how this impacts our AppData tracking service.
Redesigned Permissions Dialog
Previously, users only had to accept one extended permissions dialog to give an application publishing privileges and access to their data. The permissions dialog didn’t explain what that data would be used for, or what the app would publish to a user’s profile. This meant users would sometimes grant privileges they didn’t understand and would get angry when they saw the app had published on their behalf.
The redesigned authentication flow aims to solve this problem. First, users see a dialog asking for permission to install the app and allow it to publish Open Graph activity. It shows users:
- The name and logo of the app
- A tag line about the app
- A privacy selector for choosing who it can share with
- A list of the data types it requires
- An “About this app” description of its purpose
- Open Graph aggregations previews that show what it can add to a user’s profile Timeline
- A tiny link to report the app as spam
- Friends who’ve installed the app
- A “Log In and Add t0 Facebook” accept button
Developers can configure what appears in the dialog and the default privacy setting by entering the Developers app and selecting Settings -> Auth Dialog. Once they’ve properly configured the dialog, they can implement it by enabling “Enhanced Auth Dialog” in the Migrations section of the Developers app’s “Advanced Settings”. Facebook says all apps will be migrated to the redesigned dialog by the end of 2011, though it hasn’t released exact migration dates.
Open Graph app developers reorder the aggregation previews. These previews of what an app will publish represent a significant step forward in increasing transparency in the app install process. Facebook could further improve transparency by including a sample Ticker or news feed story from the app in the previews.
Separate Extended Permissions Dialog and Authenticated Referrals
Apps requiring additional, optional privileges such as the ability to publish check-ins or post to a user’s wall will display a second extended permissions dialog after users complete the initial install dialog. This step includes clear descriptions of what each permission means and the option to deny the app these non-essential privileges. Below, the dialog is an explanation provided by the developer for why it requires these permissions.
Before the redesign, users had to grant apps all the extended permissions and then dig into their app privacy settings to revoke certain permissions. This can now be handled as users install an app. Developers should reference the tutorial Facebook posted this week to ensure their apps run properly if some permissions are revoked.
This granular control may improve app install rates from users who are sensitive about a certain type of privacy, such those who don’t want to provide contact information or have content published to the stream on their behalf.
Authenticated Referrals is another option available in the Auth Dialog settings that when enabled causes users clicking a link to an app to see the authentication flow in-line being being brought to the app. This is useful for apps that require user data or permissions to function. It allows them to remove the awkward pre-permissions landing page and provide a personalized experience when users first arrive.
Authentication Data in App Insights
App Insights now displays impressions and accepts, sources of users, and the what privacy setting users are selecting for the authentication dialog and authenticated referrals. The authentication conversion rate will help developers determine if they are asking for too many or unnecessary permissions, or that they need to reword their their explanation for asking for permissions.
Extended permissions are each listed separately in Insights, and display their impressions, click through rate, and how many times they’ve been accepted. Developers can then identify extended permissions with low conversion rates that they may want to stop asking for.
The way applications use or abuse the permissions process has been a problem for Facebook in the past. Without enough transparency, some users would end up regretting that they installed an app that published or content or used their data in ways they didn’t want. They might then blame the Facebook Platform rather than the developer, leading them to avoid using applications in the future.
This increase in transparency and enhanced granular app privacy controls should give users a much clearer sense of what and with who they’re sharing. With time, Facebook may be able to remove the privacy stigma around apps and create a Platform more users want to engage with and more developers want to work on.