What are your thoughts on social authentication (log-in using Facebook, Twitter, Linkedin) and given all the issues with social networks right now, is this worth pursuing?
Investor in Services (non-Government), 11 - 50 employees
Social Sign On (aka Single Sign On), is a well defined and secure authentication protocol, and is used in the enterprise to connect disparate apps. It is highly secure, as there is no need to store any passwords, nor tokens (despite the other answers here). You would only store tokens if you wish to do actions on the SSO source, such as posting to their feed.
With Social, your security is as good as the SSO source, e.g. Facebook, Twitter, Google, etc. If someone has access to an account on any of these that also matches an account on your application, they would be able to impersonate a login to your site. However, in general, the big SSO providers offer higher security standards than most organizations provide, such as multi-factor authentication.
Although you hear about breaches, they are quickly mitigated, and the pressure on SSO providers has quickly brought their security to a high level. In most breaches you hear about, nothing can be done practically with the encrypted password data that was accessed.
I recommend using SSO because it raises the quality of registrations on your site as the user has already been vetted by the SSO provider, and it makes it easier for user to say "yes" to your site.
CIO in Consumer Goods, 11 - 50 employees
It is catching up but needs clearly articulated framework for classified information access and security measures defined around it. CIO / CTO in Services (non-Government), 11 - 50 employees
This is a long and difficult problem for most entities (companies) because it demands discipline from the teams to manage a multitude of login rules and passwords. An attempt was made by the IT community to federate the login by the trust with the social networks and make it easier. The SSO approach was violated when the biggest, Facebook revealed on September 28, 2018 that they were comprised (what does that mean?) and hackers accessed 50 million access tokens. This single event should be a wake up call for all to NOT TRUST any social platform for a SSO. No Cyber professional would design much less advise this is the login of choice. So we are back to the plethora of methods and login credentials we are all faced with in our professional and personal lives. Most Cyber experts have "password managers" they use themselves, and some dont even know the password the manager generated, but as with any tool, there are risks, there is still a master password. So it all comes down to risk, literature supports the length of the password "phrase" type increase the complexity, so encourage this, and don't forget one the best defenses is an educated work force that has some training on hacker and phishing methods.Senior VP, Global CTO Hybrid IT in Software, 10,001+ employees
The wave of the future from a customer perspective is to simplify their sign-on experiences. Millennial's often blur their work/life boundaries, email etc. While platforms like Google, Facebook, Linked in do today offer security shortfalls - the wave of the future will be to consolidate to a few number of platforms.IT Director in Software, 10,001+ employees
This is question has bearing on your end-state architecture and architecture related answer always start with "it depends on the workload". If the dependent application serves a typical social user, then user experience takes higher priority and you should consider using the popular SSO methods to increase adoption. You will still need to do your due diligence of Auth methods supported, global availability, latency etc. However, if your application falls in one of the business critical enterprise type functions such as payroll, PII etc, then you should consider doing the "heavy lifting" of identity management yourself. As everyone else pointed out, there are no shortcuts here. While the social authentication market is improving, there are no ratified or proven frameworks available that will pass any type of internal or external audit in a regulatory environment. In such cases, if you are not willing to do it on your own, then you may also consider "identity as a service" providers who would meet your security/compliance/audit needs.VP of IT in Software, 1,001 - 5,000 employees
Would adopt minimally a 2-step verification process if 2FA is not available. Best not to rely on a single authentication platform for SSO across all applications. Too many creative fake login prompts to steal your credentials, such as launching a realistic login pop-up when accessing a malicious website aiming to steal your credentials. I would keep the authentication credentials to more sensitive applications standalone.Assistant Director IT Auditor in Education, 10,001+ employees
I agree with Steven, multi-factor authentication offers protection on accessing your information. Users must be cautious on the type of information they share. Education and awareness in security is very helpful to users.
Content you might like
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Big Data21%
Remote Work17%
Microservices / Containerization11%
CI / CD5%
Zero-Trust15%
Automation2%
Digital Transformation16%
Cloud / Cloud Native1%
DevOps or DevSecOps6%
Other (comment)1%
1005 PARTICIPANTS
Hardware-based security (TPM)18%
Public key infrastructure (PKI) for cert-based identity57%
Identity onboarding at manufacturer16%
Integration with the cloud7%
597 PARTICIPANTS
Director, Security Operations in Telecommunication, 501 - 1,000 employees
IMO, there will be continued focus and expansion. We'll see more/broader laws and regulations being enacted both at a state level (US) and country level (international). Some analyst believe that exiting 2023, 75% of ...read more
If users are using weak passwords, it doesn't really matter where they are stored.
If there is some inherent weakness in the 3rd party authentication method then that is obviously a non-starter.
Your ability to wipe all the login tokens / close down individual 3rd party authentication services at will is important too.
The quality of the authentication api's should not be confused with the abuse of their own api's that FB has suffered from.
You have to ask yourself, why are you doing this. Convenience for your staff, the fact that you don't have to maintain your own authentication / security of encrypted passwords?
Great points! I trust nothing from any social sites, but as you say, if users use weak passwords, you can only do so much. 2-factor auth is helping. As the the question, social auth would be a non-starter for a world I managed.