The Brochure Buzzword of the year is Social Network integrations. Whether is the hot selling points for software vendors, federation presentations, or your management team pushing for the ultimate user convenience of allowing people to use their own social network accounts to authenticate into your applications, you can’t get away from it. You should get away from it as fast and as quickly as you can.
The idea of using Facebook, Twitter, LinkedIn as an authentication source into applications is not a bad idea depending on what type of applications you are talking about. For web applications and services that provide benign, public, social style information that has limited to zero risk if it’s made public (if its not public already) then social network integration is fine. It allows you to track users, data use, gather some marketing information, and other non-essential pieces of information like for metric reporting use.
It’s when you have decision makers in the business start to push to extend this into business critical applications is where the severe issues arise. It’s not a bad idea to have a single-sign-on authenticator out there, it’s easy for the users, it’s easy for you and people will enjoy the experience. When you look at it beyond the brochures there is a fundamental and serious flaw with social network authentication.
The social networks have NO identity verification in place to ensure the user is actually the name on the account. None! I can go you and create a Facebook profile for Joe Public. Joe Public could be a CEO of a company. If I was a committed social engineering hacker I could gain the ‘trust’ and confidence of an application provider and get access. There is no guarantee that Facebook stamped an approval that they verified Joe Public is in fact Joe Public. It’s just a name on the account. So how can you even think about opening a business critical application to social authentication when the social networks don’t even confirm the user’s true identity.
This is the flaw with this. It’s nice for requiring it to download the public earnings report, white papers, stuff like that. Beyond that it’s a fad and cannot be taken or considered seriously as a secure option.
Facebook wants as many users as it can. Twitter is wide open to spoofing and parody accounts. LinkedIn has problems of it’s own. None have any true validation to the owner’s identity to the account(s) they use.
User convenience is becoming more of a hot button as the services and consuming devices continue to spread and break up from the traditional single PC home model. Now we have mobile devices, tablets, laptops, PCs, game systems, home streaming devices all beginning to be access points. Each with their own accounts, passwords to the cloud services they use. When I was at CA World 2013 I was part of an expert panel where we talked about identity in the cloud and the challenges around it. Identity proofing and how to ensure the belly button user is really the name on the account was a big topic. This will be an obstacle for years to come and more so when the lawyers get involved.
The fact of the matter is that no matter how much we want it, a central identity authenticator will probably never happen. The pieces are there, some large companies have attempted this in the past (Visa Verified) with varying success but we as users are probably stuck with many authentication keys as the cloud expands.
Unless Facebook steps up and takes security seriously, their own security and privacy model is laughable to begin with, then it will be near impossible for someone to start something from the ground up to tackle this.
Social authentication is a neat fad nothing more. Unless changes happen, help stop it from trying to become more than what it’s capable of being.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.