The authentication method has been ignored in high-risk use cases. It could pave the way to a safer, easier Internet.
In his excellent Insider Feature about password alternatives and enhancements, Michael Nadeau wrote:
“The big risk with social login is that all sites a user accesses via, say, Google will be compromised if that Google account is compromised. Attackers can take control of a social account in a number of ways: social engineering, creating a fake profile, or buying a user ID and password on the dark web. Users can mitigate this risk if they turn on optional authentication features like 2FA, but many don’t.”
In January, Google software engineer Grzegorz Milka revealed in a presentation at Usenix’s Enigma 2018 security conference that less than 10 percent of active Google accounts use two-step authentication. Why not force 2FA on users? Because, Milka said, “The answer is usability. It’s about how many people would we drive out if we force them to use additional security.”
User adoption of 2FA is low because its most common implementations are cumbersome. I believe 2FA should be so easy that it could be the default setting without estranging 90% of a user base. Social login could be the mechanism to get us there.
Social login hasn’t met its full potential
Federation – of which social login is an example – manages and maps user identities between Identity Providers (IdP) across organizations and security domains via trust relationships. It addresses questions such as “Where are the user’s credentials stored?” and “Can a third party authenticate a user without seeing her login credentials?” Users who authenticate to the IdP can authenticate to other sites and services with relative ease. Social login applies federated login techniques so organizations can authenticate a user’s identity based on the assumed strength of the IdP’s authentication stack.
“Users see [social login] more as a convenience than as added security,” Nadeau wrote. “But websites and web service providers gain a level of secure authentication they might otherwise not have the resources to achieve themselves.”
Those organizations who do have the resources and reasons to create and maintain a high level of secure authentication — financial institutions and insurers, among others — have shied away from social login. They need their own dedicated authentication and authorization (“auth”) strategies. Even though social login is convenient for users and even though the auth market is largely driven by user experience, the organizations I’m describing need to maintain a degree of security and privacy control to be sure that strong auth is in place when money and other sensitive data are in play.
Don’t blame social login for the problems with passwords
Social login is a server-side analogy to the problem of end users’ tendency to re-use passwords across sites.
Whether users log in through a federated mechanism or directly to a site that manages its own auth, password-based authentication will forever be the weakest link. Social login can’t fix that. In fact, federating authentication with passwords across multiple sites simply exacerbates the risks and stakes. The password only has to be compromised once to amplify the attack to all of the sites that the authentication mechanism serves.
Sites that use social login relinquish control over the authentication process. Third parties have no way of enforcing stronger multi-factor authentication or passwordless authentication using biometrics or device recognition. They don’t get to decide when or if to step up to stronger authentication strategies.
With all that in mind, I see an upside. Federated login could make auth a lot stronger for a large part of the Internet if it moved to a passwordless mode. The change ‘just’ has to be easier than passwords; no authentication apps, one-time passwords, or the like.
Replace passwords to elevate social login
To be fair to end users, and to cultivate a more secure era, we – as a profession – have to recognize a fallacy in our control, and another single point of failure: centralized credential storage. By storing usernames and passwords in one target, organizations with large user bases have made attackers’ work easier. This weakness has been a major contributor to the rise in account takeovers.
A major part of the answer is to decentralize credential storage. By removing the target, hackers have no way of stealing and reusing identity information at scale. A mobile multifactor authentication platform that separates the authentication process from the application reduces liability and keeps encrypted credentials – and risk – dispersed on each end-user’s device.
If a federated login provider used passwordless authentication founded upon mobile device possession, facial and fingerprint recognition, and knowledge factors chosen by the end user, and if it were all stored securely on the end user’s device, then sites relying on that IdP would enjoy significantly stronger authentication.
I believe that would accelerate our progress toward a passwordless Internet, one that’s more secure and user friendly.