Facebook Rolls Out New App Authentication Flow That Ups Privacy and Transparency

Facebook is granting all developers access to a new application authentication flow today that was announced at f8 last month. Developers can now add a description of their app that will be displayed in a redesigned publishing permissions dialog. Extended permissions have been broken out into a second authentication step that explains why an app needs certain data, and lets users revoke specific permissions. Data about publishing permissions dialog impressions and accepts, sources of users, and extended permissions conversion rates are now included in Facebook’s app Insights analytics tool.

The changes will make it clearer to users what permissions they are granting applications, and give them more control of their privacy. The two-step authentication process could increase app install friction in a way that could hurt app growth. However, in the long-run, the revised authentication flow could increase user confidence in the Platform such that users become more comfortable experimenting with new apps.

Facebook has also changed the way it measures active user counts to only publicly report authenticated users, rather than all users. We’ve written a separate article discussing how this will cause a one-time dip in active user counts that does not actually mean apps have lost users, and explaining how this impacts our AppData tracking service.

Redesigned Permissions Dialog

Previously, users only had to accept one extended permissions dialog to give an application publishing privileges and access to their data. The permissions dialog didn’t explain what that data would be used for, or what the app would publish to a user’s profile. This meant users would sometimes grant privileges they didn’t understand and would get angry when they saw the app had published on their behalf.

The redesigned authentication flow aims to solve this problem. First, users see a dialog asking for permission to install the app and allow it to publish Open Graph activity. It shows users:

  • The name  and logo of the app
  • A tag line about the app
  • A privacy selector for choosing who it can share with
  • A list of the data types it requires
  • An “About this app” description of its purpose
  • Open Graph aggregations previews that show what it can add to a user’s profile Timeline
  • A link to the Facebook terms of service and privacy policy
  • A tiny link to report the app as spam
  • Friends who’ve installed the app
  • A “Log In and Add t0 Facebook” accept button


Developers can configure what appears in the dialog and the default privacy setting by entering the Developers app and selecting Settings -> Auth Dialog. Once they’ve properly configured the dialog, they can implement it by enabling “Enhanced Auth Dialog” in the Migrations section of the Developers app’s “Advanced Settings”. Facebook says all apps will be migrated to the redesigned dialog by the end of 2011, though it hasn’t released exact migration dates.

Open Graph app developers reorder the aggregation previews. These previews of what an app will publish represent a significant step forward in increasing transparency in the app install process. Facebook could further improve transparency by including a sample Ticker or news feed story from the app in the previews.

Separate Extended Permissions Dialog and Authenticated Referrals

Apps requiring additional, optional privileges such as the ability to publish check-ins or post to a user’s wall will display a second extended permissions dialog after users complete the initial install dialog. This step includes clear descriptions of what each permission means and the option to deny the app these non-essential privileges. Below, the dialog is an explanation provided by the developer for why it requires these permissions.

Before the redesign, users had to grant apps all the extended permissions and then dig into their app privacy settings to revoke certain permissions. This can now be handled as users install an app. Developers should reference the tutorial Facebook posted this week to ensure their apps run properly if some permissions are revoked.