I was at a dinner with other Identity and Access Management experts in the Twin Cities area the other night. As what techies do when they all get into the same room is we pick a topic and analyze the heck out of it. That night we got into a very interesting discussion around using social networks as an authentication source for business applications and what are the implications from that approach. Ignoring the technical challenges of federation and managing the identity, we were focusing on the broader issues of using social media as a trusting source of identity.
When you sign up as a customer for a company, that company does everything it can to ensure you are who you say you are as a person. Your home address, phone number, SSN, credit card, and other pieces of issued information the industry generally accepts that you can trust, mostly, that a credit card in combination with home address and a birthdate validates you as a person. After that, you get a special username and password for that company. Speed ahead and that’s why companies need Federation to maintain single sign on across the services, trying to bring uniformity to a disjointed world of identity and accounts. (username/password accounts is not your identity)
So naturally the discussion moved on to social networks and looking to use those as the ‘source of truth’ for identity. Facebook for example seems to the be leading the pack on this shift to something like that. If you notice around the Internet now most ‘legitimate’ news sites, forums, and other public sites are requiring you to use your Facebook account to authenticate and comment and they no longer allow anonymous accounts. Now, I am 100% against restriction of the anonymous profile. An idea is an idea and should be allowed to be expressed in any way it can. Most of the time the fear of suppression, backlash and potentially violence against that idea is why people use aliases. This concept of anonymity is not new. People have been editorializing anonymously for centuries through letters to the editor. Now it’s a much bigger newspaper with no editor in between the public consumption. I am not going to get into the argument of allowing anonymous accounts on the Internet.
It is important that if the IT security world is moving toward the universal Identity, someone, somewhere needs to have control around how that’s done.
A universal identity for the Internet which directly ties to you as a person is coming and I think it should asit would solve many security holes that exist today when it comes to idenities. Much like a Social Security Number, there needs to be a key for you digital life as well. Verified by Visa kind of does it, but it’s only for Visa. Facebook has the authentication process down but for the central identity it cannot be trusted yet and shouldn’t be the one that does it. The government absolutely should not control it. I would trust a corporation to manage the Universal Identity 10 times over before the government. Because if the government has it then after you control how people can post then you control how people think.
Right now the hangup on wide adoption of the social networks as the identity provider is there is no hard backbone to absolutely guarantee that I am who I say I am behind the Facebook account. Anyone can get a Facebook account and call themselves whatever they want. In IT security, trusting users doesn’t exist and no one should ever trust their users. That’s the next step. A company needs to be spawned up that creates that safe, secure, personally linked identity vault that can be used for company’s authentication and authorization systems. Until then, the social linkages are a nice novelty but will always limit the full release of features. What that means for customers is that you will have to maintain a username/password relationship with each and every company you do business with. That in an of itself it not secure and expensive for companies to maintain.
The universal identity is coming and corporate America will be the creators for it. It won’t be for suppressing thought but maximizing the security of their data which in turn protects bottom line.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.