Social Media Single Sign-On: Could You Be Sharing More than Your Password?



Similar documents
Social Application Guide

Facebook Smart Card FB _1800

Single Sign-on Frequently Asked Questions

Version 3.2 Release Note. V3.2 Release Note

NOK NOK LABS AUTHENTICATION & OTT SERVICES

Zep Inc.: Global Online Privacy Notice

Safewhere*Identify 3.4. Release Notes

Lenovo Partner Access - Overview

SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

MYOB EXO BUSINESS WHITE PAPER

Single Sign On: Volunteer User Guide

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign-On Instructions (SSO) Registration for the SSO

Accessing the PMRN [SSO Users]

API-Security Gateway Dirk Krafzig

webcrm App for HootSuite User Guide

PowerSchool. Parent Single Sign-On (SSO)

1. Important Information

PRIVACY POLICY Our privacy policy discloses how we gather and use your data. In short we do not collect sensitive personal information.

Mobile Banking. Click To Begin

Taylor & Francis Online Mobile FAQs

This manual will illustrate how to integrate your WordPress Blog or website with the Docebo Learning Management System.

Follow these easy instructions to list your business on the BEC Australia National Business Directory.

Welcome (slide 1) Welcome to the Florida Department of Education Single Sign-On tutorial for federated user login and navigation.

Self Service Portal and 2FA User Guide

Virtual Code Authentication User Guide for Administrators

Egnyte Single Sign-On (SSO) Installation for OneLogin

Personal Computer and Mobile Printing

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

ZOOMIN.TV PRIVACY POLICY Last updated: 5 August 2014

INXPO Privacy Policy

Create New MyWorkKeys Account Quick-Start Guide for the ACT National Career Readiness Certificate (ACT NCRC )

Enhanced Login Security Frequently Asked Questions

Remote Access End User Reference Guide for SHC Portal Access

The Top 5 Federated Single Sign-On Scenarios

State of Michigan Single Sign-On Registration Instructions for First Time Users

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

0ysiEDJ5AF8Xqy5Ge8JRT9I8IJ9hVAVOkT3A 1/14

HP Software as a Service. Federated SSO Guide

SECUREAUTH IDP AND OFFICE 365

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Adaptive Business Management Systems Privacy Policy

OpenLogin: PTA, SAML, and OAuth/OpenID

The Password Problem Will Only Get Worse

Guide to Complete EIA SSO (Single Sign-On) Registration. 1. Open your Internet Browser, enter this address, and press Enter

FitCause Privacy Policy

Privacy Policy. log in to the Services with social networking credentials;

PassKey Manager. Schoolwires Centricity

Marketing Communications Essentials: B2B Marketing for Small Businesses. June 18, 2014

Privacy Policy/Your California Privacy Rights Last Updated: May 28, 2015 Introduction

ONLINE PRIVACY POLICY

WATERS Water Act TDL Electronic Review System

Eloqua Social Suite Integrate Social directly into your campaigns with just a few mouse clicks.

How to Register for Training

Implementation Guide. Implementation set up: Configure your channel. Implementation customization: Enable your social profiles

PRIVACY POLICY. I. Introduction. II. Information We Collect

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

OAuth: Where are we going?

NBA Math Hoops Privacy Statement and Children s Privacy Statement Updated October 17, 2013.

Two-Factor Authentication (2FA) Registration Instructions Symantec VIP Access

IT Exam Training online / Bootcamp

Copyright: WhosOnLocation Limited

Interoperate in Cloud with Federation

Reverse Proxy Guide. Version 2.0 April 2016

Federated Identity and Single Sign-On using CA API Gateway

Enhanced Security for Online Banking

PRIVACY NOTICE. Last Updated: March 24, 2015

Privacy Policy and Notice of Information Practices

Enhancing Web Application Security

Using the owncloud Android App

Mashup Sites for SharePoint 2007 Authentication Guide. Version 3.1.1

PRIVACY POLICY. Your Personal Information will be processed by Whistle Sports in the United States.

2. What personal information do we collect and hold?

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Building Secure Applications. James Tedrick

Privacy Policy. When you create an account or use our Service, we collect the following types of information from you:

SYSPRO App Store: Registration Guide

Auth0 SSO Drives B2B Expansion

The Unique Alternative to the Big Four. Identity and Access Management

shweclassifieds v 3.3 Php Classifieds Script (Joomla Extension) User Manual (Revision 2.0)

Transcription:

Social Media Single Sign-On: Could You Be Sharing More than Your Password? SESSION ID: HUM-W03B 2/26/14 (Wednesday) 11:20 AM - West 3005 Tom R. Smith VP, Business Dev & Strategy, CloudEntr www.cloudentr.com Tom.Smith@gemalto.com

DILBERT 2005 Scott Adams. Used By permission of UNIVERSAL UCLICK. All rights reserved. 2

You already have zero privacy get over it. - Scott McNealy 3

Agenda What s being tracked and collected online What is Social Login Potential risks introduced Process flow for Social Login for B2C and B2E Suggested resources if you want to learn more 4

NSA is not the only one tracking you What have you done today? Use your credit card to buy coffee? Login to wireless network at the RSA show? Use your mobile phone? Check your company s e-mail? Sent a text message, or tweet, or posted something to LinkedIn or Facebook? 5

When and how is information collected? User intentionally shares information (explicit consent) Buy something (billing info, credit card info, ship-to, etc.) Create account or register at a website (name, login credentials, other ) Online behavior activity silently tracked (implicit consent) Click on a link in an e-mail or on a website (look at URL) Open a web page (just the act of viewing a page) Sign-on using social login (relying party requests profile info) Other techniques: analytics, beacons, widgets, cookies, fingerprinting 6

What is Social Login? Uses your existing Social Media account to register or login to website / online service Benefits both the individual user and target website Profile information may be exposed as part of login 7

Be clear on your intended use of Social Login What is the purpose of enabling Social Login? Marketing / Sales (B2C, B2B, non-employees) Enable/attract customers to access your product and services Easy registration, immediate harvest of rich profile data Security / Compliance (B2E, employees) Login to company resources for employees Provides a set of existing employee credentials Who is authoritative source for user identity and the assets? Your company vs. social vendor (Facebook, Google, Twitter, etc.) 8

What can be retrieved during Social Login? 9

Does using Social Login increase risk? Information = attack points Individuals tend to be more lax in their personal lives and re-use or create weak passwords for their Social Media account Socially engineered attacks are fueled by personal information Social Logins create intermingled non-business entry points Target, Sony, Evernote, Adobe, etc. Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 10

Consumer Website (B2C) use of Social Login Anonymous wants access to website New registration and/or login with Social Login service Website requests, User allows Permissions Website and Social accounts are Linked User Profile info captured by website 11 Known User granted Access

Business Employee (B2E) use of Social Login Employee wants access to business app Social Login credential used Social credentials alone not trusted for requested resource Trusted 2 nd Factor Authentication required, and applied Employee granted SSO access to all authorized apps Social Login interaction limited to corporate identity and access management system only Employee logged in to app 12

Summary Social Logins for consumer facing websites Convenient for both user and website Middleware may simplify implementation, ongoing integrations Social Logins for employees to business assets Social Login should only interact with corporate IAM system Employee Identity is known, just use Social Login as credential Augment with 2FA based on company policies 13

To learn more Shallow end of pool: useful search terms Tools that block tracking on websites you visit: privacy browser extensions Social Login middleware vendors: social login In depth: technical standards, and best practices http://www.thread-safe.com/ www.idecosystem.org http://openid.net/connect/ http://www.fidoalliance.org/ 14

Q & A Speaker contact info: Tom R. Smith VP, Business Dev. & Strategy, CloudEntr www.cloudentr.com Gemalto (Austin, TX) E-mail: tom.smith@gemalto.com Phone: 512-605-2116 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information