Privacy and Security Advantages of Social Login. White Paper

Similar documents
Why SMS for 2FA? MessageMedia Industry Intelligence

User Identity and Authentication

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

PRIVACY POLICY. I. Introduction. II. Information We Collect

How To Secure Cloud Computing

Privacy Policy. If you have questions or complaints regarding our Privacy Policy or practices, please see Contact Us. Introduction

Securing corporate assets with two factor authentication

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Multi-Factor Authentication

Flexible Identity Federation

Simpler, Smarter Authentication with Okta. Okta Inc. 301 Brannan Street San Francisco, CA

Remote Access Securing Your Employees Out of the Office

Into the cybersecurity breach

Projectplace: A Secure Project Collaboration Solution

How to reduce the cost and complexity of two factor authentication

The Top 5 Federated Single Sign-On Scenarios

How To Use Salesforce Identity Features

Can We Reconstruct How Identity is Managed on the Internet?

SECUREAUTH IDP AND OFFICE 365

Swivel Secure and the Cloud

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

PREPLY PRIVACY POLICY

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

Impact of Data Breaches

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Reducing Cyber Risk in Your Organization

Guide to Evaluating Multi-Factor Authentication Solutions

future data and infrastructure

Teradata and Protegrity High-Value Protection for High-Value Data

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

SECURING YOUR REMOTE DESKTOP CONNECTION

IT Architecture Review. ISACA Conference Fall 2003

A brief on Two-Factor Authentication

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Malware & Botnets. Botnets

How To Protect Yourself From Cyber Threats

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Managed Security Services for Data

Single Sign On. SSO & ID Management for Web and Mobile Applications

Safe Use of Electronic Services

IT Security Standard: Computing Devices

Identity Implementation Guide

GUESTBOOK REWARDS, INC. Privacy Policy

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

SECURING SELF-SERVICE PASSWORD RESET

Client Security Guide

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

INCIDENT RESPONSE CHECKLIST

The Password Problem Will Only Get Worse

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

Security Policy JUNE 1, SalesNOW. Security Policy v v

Modern two-factor authentication: Easy. Affordable. Secure.

Intelligent Security Design, Development and Acquisition

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

white paper 5 Steps to Secure Internet SSO Overview

Strong Authentication for Secure VPN Access

I ve been breached! Now what?

Gigya Pricing Proposal

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Welcome to the Protecting Your Identity. Training Module

How To Protect Yourself From A Hacker Attack

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

User Guide. SafeNet MobilePASS for Windows Phone

Experian Username and Password Self Service Facility. User Guide

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

ITAR Compliance Best Practices Guide

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Google Identity Services for work

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Nine Network Considerations in the New HIPAA Landscape

Transcription:

Privacy and Security Advantages of Social Login White Paper

User Management Platform for the Social Web white paper Privacy and Security Advantages of Third-Party Authentication The practice of implementing traditional username/password authentication on the web suffers from a number of issues that reduce its efficacy, increase costs, and significantly increase risk for an organization. Fortunately, by leveraging third-party authentication through social login, in which existing identities from social networks like Facebook, Google, and Twitter are used to register and sign in to sites, companies can mitigate these risks, reduce costs, and improve new customer conversion rates. Let your users sign in with an account they already have One of the most important trends to emerge from the social web has been the increasing use of portable online identities. Identity Providers (IDPs) such as Facebook, Twitter, and Google offer authentication APIs that make it easy for users to sign in to other websites using an existing profile. By leveraging these APIs, websites can create a personalized experience without requiring the user to register a username, password, and profile data. Social networking has been a catalyst for making online identity portable and interoperable. Before social networks, users had no alternative to filling out registration forms when signing up for an account at a website. But now, in the social age, expecting users to once again re-enter their relevant identity data has become impractical, maybe even presumptuous. PG2

While social networking itself has been a driving force for many sites in enabling social sign-in from third-party IDPs, it s becoming increasingly clear that encouraging users to sign in with an account that they already have, rather than registering a new one, can have many security benefits. The trouble with passwords For years, information security experts have emphasized the importance of practicing good password hygiene: that is, using a unique and unguessable password for every individual site on which registration is required. But, users are human, and password reuse happens a lot more frequently than security professionals would ever want to admit. In fact, a 2011 analysis by Troy Hunt, using real data from accounts that were compromised at Sony and Gawker in 2010, revealed that 67% of users registered at both Gawker and an affected Sony site used the same password at both sites. Users registered at two separate Sony sites reused the same password 92% of the time. And it s hard to blame them, as the task of remembering strong and unique passwords across the number of sites where your users are registered is nearly impossible. The net result of this is that even if you believe you have impenetrable defenses against hackers, your users and your data are vulnerable if a completely different site is hacked, due to password reuse/fatigue. Furthermore, it s a rare company that truly has an impenetrable defense against hackers. In addition to security issues, implementing traditional registration on a site also increases costs. Not only is there a cost to securing and encrypting registration data to prevent the kind of security breaches that have become all too common, but there are support costs, as well. Anyone running a site that requires users to sign in knows that the number one driver of customer support calls is users who can t sign in. Ironically, the very reason why these users can t sign in is because often they were practicing good password hygiene and can t remember their secure passwords. There are hidden costs related to traditional registration, as well. In a 2011 study commissioned by Janrain, nine out of ten survey respondents admitted to having left a website when they could not remember the username or password they had registered there, costing companies customers and revenue. PG3

To sum up some of the issues with traditional registration systems: They are expensive to build and maintain. They are vulnerable to security breaches due to password reuse from other sites. They incur the associated cost of supporting users who forget their credentials. They can lead to the loss of customers, as people either won t register in the first place, or will leave when they can t remember their username/password combination. Thankfully, there is a simple solution to these problems, and that is third-party authentication enabling your users to register and sign in using the well-established identities they have already created at sites like Facebook, Twitter, Google, and Yahoo!. Benefits of using third-party authentication Signing in with an account from a third-party identity provider brings several advantages over signing in with a site-specific username and password. Security is improved by shifting the burden of data protection to large-scale operators like Facebook, Google, Yahoo!, and PayPal. The cost of customer support required to help users who can t sign in is similarly transferred. It s less likely that your users will forget the more-commonly-used username/password combinations registered at their favorite social networking sites. No username/passwords are transmitted during the third-party authentication process, only authorization tokens. Site owners can leverage security technologies implemented by the top IDPs that they might never be able to replicate themselves. State-of-the-art security: Facebook, Google, Yahoo! The top IDPs employ state-of-the-art security systems and full-time security teams that most smaller sites would never be able to match. For example, Yahoo! has sophisticated technology that analyzes every sign-in attempt in real time, taking into account the user s previous behavior, the reputation of the IP address, and the geographical location of the sign-in attempt. Yahoo! even lets users review their recent sign-in activity, listing the time and location where each sign-in occurred to help users detect unauthorized activity on their account. fig. 1 (see following page) PG4

Google has similar tools that allow users to view their current sessions, and also gives users the the ability to sign out of sessions remotely. Remote sign-out can be a lifesaver if you ve ever forgotten to sign out after borrowing a friend s computer, or after using a public computer at an internet cafe. Additionally, Google alerts users when unusual activity is detected on the their account. For instance, if a user has a pattern of signing in from a particular city or state, and then signs in from a distant country on the other side of the world, Google will notify the user by email. Figure 1 Just as Facebook has revolutionized the web with its social graph and innovative user experience, it has also brought tremendous innovation to web security. fig. 2 Facebook Notifications are a major driver of referral traffic to social content and games, and now serve to notify users about account security issues as well. Among Facebook s security arsenal is the Session Classifier application, which uses location, device, and other account details to detect suspicious activity. For example, if a user typically signs in from California, and then tries to access Figure 2 PG5

their account from Africa, a Facebook Notification will alert them to the discrepancy. fig. 3 Two-factor authentication Figure 3 Using Google, Facebook, or PayPal as an IDP gives users the option of leveraging those providers implementations of two-factor authentication. Two-factor authentication began as an industrial-strength security feature, used mainly by financial websites and enterprise applications, where users sign in using both a password and a short-lived, single-use code generated by a specialized device. This method is significantly more secure than signing in with a password alone, because compromising the user s account would require both the user s password and the correct, briefly-valid code. fig. 4 Figure 4 As secure a method as it is, however, two-factor authorization with specialized devices is cumbersome and expensive to implement, and few consumer-oriented sites are able to adopt it successfully on their own. Fortunately, a growing number of IDPs give security-conscious users the option to enable two-factor authentication on their accounts. In these systems, signing in with username and password results in a numeric code being sent to the user s mobile phone, via SMS, that PG6

must be entered to complete the sign-in. [ fig. 5 ] This option provides an improvement over legacy two-factor systems because users don t have to carry around a special device, getting the code from their mobile phone instead, which they would presumably have with them anyway. Additionally, users need only to enter the code occasionally, when signing in from a new computer for the first time, or after their verification code expires. On subsequent visits over a given period, most often 30 days, the user needs only to enter their password. Most websites have outsourced authentication already In the past, some websites were reluctant to outsource user authentication to third parties, but most have already outsourced authentication to email providers without even realizing it. They typically automate the password recovery process by sending users an email with a link to reset their password. Since changing your password and then signing in is really the same thing as signing in, implementing an email-based account recovery system is equivalent to outsourcing authentication to the user s email provider. IDPs for the government and for the future The US government has taken notice of industry trends and is working with private industry to open up government websites to let citizens identify themselves using accounts that they already have with private Figure 5 Copyright All rights reserved. janrain white paper PG7

IDPs. Because many interactions with the government require high levels of security, the government is working with private industry though organizations like the OpenID Foundation and the Open Identity Exchange (OIX) to define certification requirements for private IDPs to be used on government websites. FICAM compliance For those organizations requiring advanced security measures, such as those outlined in the Federal Identity, Credential, and Access Management (FICAM) framework, compliance can be achieved, cost-effectively, through the use of IDPs that support the Provider Authentication Policy Extension (PAPE), such as Google, PayPal, and Symantec (formerly Verisign). Janrain: your shortcut to thirdparty authentication Allowing your users to register and sign in using a social media account they already have can protect your site from the risks associated with weak and reused passwords, leverage the world-class security features implemented by these large-scale operators, improve your new customer conversion rates, and save money for your organization. If you would like to learn more about how Janrain can help you leverage these benefits of third-party authentication, call us at 1-888- 563-3082 or visit www.janrain.com. When FICAM support is requested by a website at user sign-in, all API calls to the IDP include the request that FICAM policies are applied to the authentication and returned user data. PG8

References Troy Hunt s password analysis of the Sony and Gawker breaches: http://www.troyhunt.com/2011/06/brief-sony-passwordanalysis.html Gawker password hacking; Facebook users were not affected: http://lifehacker.com/5712785/faq-compromisedcommenting-accounts-on-gawker-media#1 University of Cambridge Computer Lab password re-use study: http://www. lightbluetouchpaper.org/2011/02/09/ measuring-password-re-use-empirically/ Top 50 passwords used: http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawkermedia-passwords/ Facebook security infographic: http://thedinfographics.com/2011/11/21/facebook-securityeverything-you-ever-wanted-to-know/ Two-factor authorization, HTTPS, and social reporting at Facebook: https://blog.facebook.com/blog php?post=10150153272607131 Two-factor authorization at Google: http://googleblog.blogspot.com/2011/02/advanced-sign-insecurity-for-your.html US Government ICAM Trust Framework: http://openidentityexchange.org/trust-frameworks/us-icam Sony password hacking: http://www.informationweek.com/news/security/ attacks/229900111 About Janrain Janrain helps organizations succeed on the social web with its user management platform, a solution to improve user acquisition and engagement. With Janrain, you learn more about your users when they sign in or register with an existing identity on a social network such as Facebook, LinkedIn or Twitter. Then you can store that social profile data and use the information to launch more targeted campaigns or serve more relevant content. Additional components for sharing, invite friends, and gamification bring more users to your site and reward brand advocates. Janrain customers include leading brands such as Universal Music Group, MTV Networks, AMC Networks, Ning, NPR, Sears and Dr. Pepper/Snapple Group. Founded in 2005, Janrain is based in Portland, Oregon. For more information, please call 1-888-563-3082 or visit www.janrain.com. PG9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information