Using social identity as a form of single sign-on

The existing problem is passwords. The general consensus is that they are no longer good enough. The reality, of course, is that it is not so much passwords that are inadequate, but the way they are used. The incredible growth in online services in both the public and private sectors means that most users now have to manage dozens of passwords – leading to two problems: users tend to choose easy-to-remember passwords, and reuse the same password over and over again.

Easy-to-remember passwords are inevitably easy-to-crack passwords. Since they are re-used many times, it only requires one website to be hacked for the user’s password to be stolen and cracked, thus providing the hacker with the password to all of that user’s other accounts. This is a problem that is simply getting worse. Users are generally more concerned with ease than with security, and security that is difficult to use, like multiple complex passwords, is frequently side-stepped.

One solution being actively investigated on both sides of the Atlantic is to allow users to employ their social media credentials as proof of identity in order to access other online accounts. In October 2012 The Independent reported that the UK government “will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services.”

The principle is simple. Major social networks such as Facebook and Twitter are very good at security (although both have announced minor hacks this year already); and almost everyone has at least one social media account. The theory, then, is to allow the social networks to verify the identity of the user, and on that basis to gain access to other accounts. 

It is a system that is already widely used in business where there is a business relationship – such as Spotify allowing Facebook credentials, and Klout allowing both Facebook and Twitter. It effectively substitutes the need for the user to remember multiple complex passwords with just one complex password. But it is not without critics. MailChimp experimented with the idea towards the end of 2012, but eventually backed off. “What if Facebook or Twitter were hacked?” blogged MailChimp’s Aaron Walters. “Your social profile would be at risk (the sun would still rise tomorrow), but so would any other account on other services that are connected. That’s a little scary. Yes, Facebook and Twitter are good at security, but nobody, NOBODY, is perfect. Social login buttons delegate control of your users’ credentials to another service, rather than ensuring security yourself.”

The fact remains, however, that social media access will definitely be easier for the user, and probably more secure than the current multiple password scenario. For this reason it continues to gain both support and traction.

Today NetIQ is launching two new products: one traditional single sign-on product for general cloud access, and a new SocialAccess virtual appliance for social media access. NetIQ calls it Bring Your Own Identity, or BYOI. It is, says Geoff Webb, director of solution strategy at NetIQ, “a great example of the opportunity to build on existing processes, improve existing services and respond more rapidly to customers. [It] complements existing access management strategies and improves business enablement in a way that traditional approaches cannot match.”

What’s Hot on Infosecurity Magazine?