Facebook offers Facebook Connect. Open ID offers, well, OpenID. But, does the latest craze with Facebook login integration consider the security of those of us who have sensitive information to protect?
1.) The aggressive and steadfast rise of the Cloud and its many forms, including SaaS, IDaaS, and Cloud storage.
2.) The rise of Single Sign-On (SSO), or identity management, services hosted by Facebook – like Facebook Connect and OpenID.
3.) The equally aggressive rise in the amount of hackers eager to get their hands on one of your juicy passwords.
When practiced properly, the above third element should not affect you in your decision to use the second. However, we’ve observed many cases in which a hacker would create an innocent-looking site under the guise of a Facebook log-in page and ask you for your credentials. Surely enough, you can just look at the address bar before typing any information to check whether the login page really belongs to Facebook. But, can you risk it?
The problem we see now is that many websites are adopting Facebook’s “Connect” and OpenID to allow for one-click logins to access a website. You sometimes don’t even have the choice of making a separate account on that site, meaning you can’t “opt out” of these type of logins. Sure, your information stays safe within that site, but it’s also stored within a central database under Facebook’s control. While there’s nothing wrong with this, there’s just too much risk involved in putting all your sensitive data from all over the web into one massive identity bubble (that frankly isn’t exactly the most secure portal to use to manage your usernames and passwords or access to all your data).
The other problem is that you’re putting your information into a social network with more users than the entire population of India. Here’s our take on this:
- Facebook is not at all a discreet network. Literally anyone can see your account with the proper know-how.
- Even with a tight password, someone will find a way to access your account. You stick your head out of the water even further by interacting on the network. Just look at what happened to Facebook’s own creator early in 2011. It’s an embarrassing situation! Later that year, something even more embarrassing happened to Facebook’s Mark Zuckerberg.
- You expose yourself to too much of an information give-away, as Facebook has been known to give information about its users to others from time to time. Hello! They track each site that you login to from your Facebook account and use that exactly how?
Now you’re probably thinking about…
What to Do?
We’re not trying to tell you to stop relying on websites that integrate Facebook Connect or other types of SSO login solutions. It’s understandable that you don’t want to splash different copies of your identity everywhere on the web. But try using these features on casual websites as much as you can.
If you want an SSO solution, opt for something better that will protect multiple identities, not one single giant blob waiting to burst. Secure SSO should be used with important identities, such as your own website’s authentication and payment gateways. SmartSignin comes to mind, giving you the ability to store multiple different user names and passwords into one database. Since it’s not a social network, it won’t be out in the open. The interface allows you to perform one-click sign-ins from a single point without having to worry about security or a vindictive person trying to batter your account into submission.
Think about it. You invest a lot of your identity into the Internet. Don’t allow someone to sweep in and use your identity in malicious ways. Choose a solution that will allow you to have several layers of fortification in front of you.