It has been the catalyst for extended usage of internet services, as well as served the role as the “great advertiser” in trying to persuade us to use the services of partner sites, and connect across applications.
Just 5 or 6 years ago, it was common practice to create individual user accounts across the different web services you were utilizing. Each website had their own authentication method, some using multi-factor, others simply requiring a username/password. But as web services became more interconnected and widely used across the globe, authentication platforms began to follow suit. Why would an organization choose to leverage a company like Facebook to register new users? By minimizing the back end services needed to manage users, companies can save money by simply leveraging APIs and open standards (e.g. SAML and OAuth) that link to Facebook, Twitter, Google, and other social platforms. Additionally, the use of a common authentication system removes the barrier companies previously ran into when a user was less willing to provide their information to create new accounts with new sites. This single sign-on experience has helped organizations increase traffic and membership to their sites, while removing the need to manage user accounts and build out databases and web servers to authenticate users. In their eyes, this is a win-win….Right?
Not so fast… There has been a lot of research and topic around the pros and cons of leveraging a common digital identity system, and it is clear there are a number of critical risks that must be considered when using a social media company to handle user authentication. ISACA has published material on the matter, coining the term “Bring your own Identity”. As users have too many usernames and passwords, they have experienced “identity fatigue”, and might prefer to use a distributed login platform that connects services via APIs. As ISACA states, “This important trend is not just about new devices; it is about the entire relationship between IT and its user population. In addition, this trend introduces significant security issues because critical IT assets need to be available — securely — to an increasingly distributed and diverse user base that is using consumer devices of their own choosing. “ [source]
Yes, Facebook or Google may seem so big that they are invincible. But we’ve already experienced situations where Google’s OAuth service failed, preventing millions of users from accessing third party services. Using these platforms clearly creates this potential hazard – they are now a single point of failure. In the event of a service disruption or a breach of user identities, companies will still incur large costs to protect their users, even those who registered using third party credentials. The risk of an incident seems too high, with large impacts possible.
Ideas have popped up from time to time to create a central digital identity management authority (outside of social media platforms) across the web, however that also poses a risk as it could act as a single point of failure. Alternatively, there are ways to leverage a hybrid strategy which allows users a pre-defined level of access using third party authentication, while preventing them from accessing more critical portions of the site. This application of granular security policies can protect companies from experience system outages, from hackers using breached user credentials, or a number of other critical issues which could hurt an organization.
One such solution includes the use of tokens, where a user can leverage their credentials from Facebook, Google, or another third party to gain initial entry into the system. When they reach more restricted portions of the site, they can authenticate themselves with that specific business by using tokens which can provide for an added layer of protection.
Using RESTful service endpoints to facilitate registration
In other instances, a user may gain entry to portions of the website using their social login credentials. Again, they are only allowed access to certain portions, and cannot access confidential content or sections of the site. When it comes time to register the user to access the restricted areas, a solution to the registration barrier is to use RESTful service endpoints to pre-populate registration forms using the user’s information from their social media accounts – such as name, email, address, etc. While this seems like a cheat to the system, but by simply helping a user register themselves, there is much less of a chance they’ll back out of the process.
Our experience with social media – though it’s over a decade old – has still just begun. More and more it’s driving how we run our daily lives and how we interact with companies across the web. While many of their features look enticing, such as a common logon system, it is imperative that we evaluate the risks associated with these platforms before we dive in. Consider new ways of protecting your website from third party risks, leveraging certification and tokenization solutions to protect user identities. This extra step may not seem favorable at first, but it certainly will in the event your organization is breached through third party identification services.
References and Further Reading
Bring your own identity (2016), by Merritt Maxim
- Selected articles on Authentication (2014-17), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-17), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- Selected articles on eIDAS (2014-17), by Heather Walker, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more