Single sign-on, Facebook and it’s double-edged sword
So on that note, as suddenly the vast majority of the connected world will be looking at this facebook breach and how it affects them, I want briefly touch on Single sign-on services, what they mean, what they do, why they are good and why they are bad. SSO is an authentication practice that is becoming more pervasive in our daily use of internet services, personal and business related, but very few people spend time truly evaluating it's security risks.
I am a proponent of properly configured SSO, or more so, the security framework it tackles and a number of its purposes. If properly implemented for the purposes of security, and not entirely for the purpose of convenience for users, it can be an effective balanced layer of security and also convenient for users to login to multiple systems. I see SSO itself as a piece of a broader strategy or a method to design a proper access control, authentication and verification process for access to valuable company or personal data and resources.
Misconfigured or compromised SSO systems can provide a world of hurt, which everyone is going to realize now as they read about the Facebook breach of 50 million accounts. For several years Facebook has offered SSO services which authenticate and sign users into many other services. If you Facebook account is breached, in turn, your other accounts can be accessed without any need to login, as that is how a single sign on system is designed.
So take care and understand your risk exposure with Single Sign-on. SSO can provide more security than not using it at all, certainly. But, it can also leave you highly exposed. In a corporate environment don’t assume your SSO strategy is secure. There is much work to be done to ensure that your SSO environments are in fact secure; your architecture should be highly scrutinized, evaluated. assessed and continuously tested, well before a compromise occurs.
-Aleks P. Mednis
Phone: 215-295-1097 | Sales: firstname.lastname@example.org | Support: email@example.com