I saw charles.carney 's post this morning (through a tweet by gali.klingschneider ) which talks about LinkedIn now being the third available Social Login option on SCN (after Twitter and Facebook).
Being the security scarecrow here this reminded me of LinkedIn being hacked and having all their passwords exposed, but that was a while ago and I'm sure that has been properly fixed by now. Still, it's a good time to reflect on trust and security in social networks.
Every time you chose to login to a site you're handing over trust to a third party to use your identity to do stuff on your behalf, sometimes even without you being actively involved in the process. You usually want that, stuff like sending off a tweet every time you post a new image to InstaGram.
By the way, the authorizations work both ways - you allow the target application to be accessed with your social network credentials, but you also allow the host application to use your social network information. These authorizations are part of the initial account linking process.
Examples:
That's usually just fine, i.e. you want that, but we tend to forget what we granted after a while, and sometimes this leads to surprises. As a little awareness excercise, you can see which authorizations you already granted. Please go to each of the following links (provide you use that social network) and look at the apps, and consider if you still use the app, or if you even were aware you granted those privileges:
Interesting, isn't it?
Next critical question: Are you using different passwords on each of your social networks? Because if you don't, if one gets exposed someone might use it to log on to another social network which in turn you may be using as a login to SCN or elsewhere.
Using different passwords may sound cumbersome (and it is), but it's well worth it. I recommend using a password manager that integrates into your browser like LastPass or 1Password to make it easier; they will also assist you in generating secure passwords.
In an SAP context, similar questions arise when you link your AS Java to Windows login. We did this for many customers with GRC AccessControl 5.3 scenarios. It's incredibly simple to set up, but it needs follow-up activities in the organisation:
So, to summarize: Social Login and identity federation are good and useful, but they need raised awareness also (or specifically) by the average user about the security side effects.
Related Posts:
http://scn.sap.com/community/security/blog/2012/06/07/on-passwords
http://scn.sap.com/community/security/blog/2012/08/08/initial1
Feel free to share your biggest AHA-moments when you looked at the list of linked applications in your social networks n the comments!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
37 | |
15 | |
11 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
7 |