Click here to close now.

Welcome!

Security Authors: Elizabeth White, Liz McMillan, Pat Romanski, Brad Thies, Srinivasan Sundara Rajan

Related Topics: Web 2.0, SOA & WOA, Open Source, Security

Web 2.0: Article

Social Login: The Right Solution for Your Business?

Social login is a way to use social network credentials to create accounts on other sites or applications

What have you done online today - checked LinkedIn? Facebook? Twitter? Opened and sent business emails? Used business apps? Every business employee also has a private life - and it's becoming increasingly difficult to keep the two separate. Rather than ignoring the growing role of social media in your customers' and employees' lives, many businesses are starting to take advantage of it. One way to do this is through social login.

Social login is a way to use social network credentials to create accounts on other sites or applications. From a business perspective, you may decide to offer social login to your customers. For this discussion, we'll call this the business-to-customer or B2C use case. There are also good reasons for offering employees the ability to access business applications using a social login. We'll call this the business-to-employee or B2E use case. Your employees are also consumers with social media accounts, and social login lets them use one set of credentials for multiple purposes.

Social login in a nutshell
Social login is a growing trend. While Facebook is the most popular social login identity provider (through Facebook Connect), others like Twitter, Google/Google Plus and Yahoo also offer social logins. See the research from Gigya on the fierce competition for social identity providers. It's popular because it solves a common problem - creating and remembering accounts and passwords for all of the various websites and applications we use.

You have most likely encountered social login when opening a new account on a website, if you are given an option of signing in with an existing social network account:

If you choose to login with your existing social network account, then you've opted in to social login. That decision has ramifications that you might not expect. Social networks are a mother lode of personal information - you may be sharing more than you realize.

Before you implement social login for your business' customers or employees, or choose to use it yourself, you should have an understanding of what's happening behind the scenes.

The social login: What happens behind the scenes
If your business wants to offer social login for customers on your website, you first need to choose which networks to link. Social login middleware or aggregators like Gigya and Janrain make it easy to offer social login through multiple social networks.

When a new user chooses the option of registering on a site with their social media credentials, they also grant permission to link your site with their account. You gain API-level access to personal data and contacts from the social network. The overall process is illustrated below:

Photo credit: Facebook

The process of granting permissions to your profile information is an "all or nothing" decision forced on you by the website you are trying to access. Without permission, the registration is canceled and the user must then create a new account directly with your website. But if the user grants permission, the social media account is linked to the website that you just registered at. Your website can now retrieve existing or new profile information without the user's future consent. The linked website can also post information to your social network. Of course, you must use care if you want to retain the customer.

From a business perspective, offering social login has many benefits:

  • Social login makes it easy for new customers or consumers on your website to create accounts - reducing friction and potentially increasing sign-ups. Beyond the initial sign-up, research by Janrain shows that many people are more likely to return to a site that welcomes them with social login, while they will abandon sites for which they have forgotten their passwords.
  • Consumer identity can be instantly verified; you have to use a real e-mail address to have ongoing use of your social media account. This verification dramatically reduces the number of bogus account registrations of people trying to remain anonymous and entering false information at account creation time.
  • The social networks provide a rich source of demographic and behavioral data about your customers that they may not want to provide if they were filling out forms during registration.

However, there are also risk factors. Because the social media identity provider maintains data about the customer and manages their credentials, any problem with their credentials affects their ability to connect to your site as well. Alexandra Samuel posted about an experience of being shut out of multiple sites over the Thanksgiving weekend online shopping time because of a problem with her Facebook login on the HBR blog.

Social login and your employees
When it comes to your employees, the decision to use social login involves a different thought process.

The B2E use case has security and compliance implications. Identity and profile information shared from social networks creates additional points of attack for hacking into business accounts through social engineering or spear-phishing attacks. Social login gives criminals more avenues into personal information and logins, especially if employees are in the habit of using weak passwords or reusing passwords across multiple sites

For example, a hacker who discovers that one of your employees is an avid stamp collector and that they work at XYZ Company. They could send them an invitation to create an account on a stamp collecting website. If the employee uses the same login for stamp collecting as other apps, the attacker is in and knows what company to target.

Depending on what your employees share on Facebook, a site using Facebook Connect has access to personal identity information, including: birth date, photos, email address, employer, address, and interests.

With social login, your own business accounts are only as secure as the employee's social media account. And your business has no visibility or control into how employees create and manage passwords for their personal accounts, or whether they share passwords between personal and work accounts.

For these reasons, you don't want to establish a direct link between the social media accounts and your business applications. However, social login can be useful for your employees, as it reduces the number of passwords they have to track. There are ways to mitigate the risks of offering employees social login to business applications.

Making social login work for B2E
One essential difference with employee logins is that you already know the information you need about the employee's identity and job role. You don't need profile information from the social network. The social login can simply provide the login credential.

To reduce the risks of social login, create a ‘firewall' between the social network and your business applications, so business applications are never linked to your employee's social network accounts. Use the social login as a login credential for business applications, but require additional authentication for those applications. Used in this way, your business maintains its role as the authority or curator of employee identities and business application access at all times.

An identity and Access Management (IAM) or Single Sign-on (SSO) solution can act as this firewall between the social network and your applications. Because social media credentials are created outside of the business, you cannot trust them alone to grant access to sensitive business applications. The IAM solution can require additional authentication factors before authenticating an employee as a trusted user with the authority to access business applications.

In this configuration, your applications themselves do not directly interact with the social networks. The process workflow is illustrated below:

Your business retains full control over all business application logins through the IAM or SSO solution. No personal data is exchanged between business applications and social media networks. If someone leaves the company, you can instantly remove access to those applications with their social media account by shutting off access in the IAM or SSO. This does not, however, affect the employee's ability to access their personal social media account. If someone manages to steal the employee's social login credentials, two-factor authentication means that the identity thief is shut out of your business applications.

Since social login is only one method that an employee could use to login to business apps, a problem with the employee's social credentials does not shut them out of their business applications if they can authenticate directly with the IAM.

This approach is feasible even for small companies without existing investments in IAM solutions.  A simple web-based single sign-on (SSO) solution with strong authentication capabilities can fill the role of social login secure bridge quickly and securely, offering employees the instant benefit of simpler logins and secure password management, while giving businesses the control and visibility needed for good governance and compliance.

Is it time to get social?
Businesses should look carefully at the potential benefits of social login. Using native social login on consumer-facing applications (your B2C websites) has many benefits: delegating the hard work of verifying identities, providing you with rich profile information, and reducing friction in the customer sign-up process.

In a business-to-employee context, social login can reduce the number of accounts and passwords employees have to remember. But never allow social media accounts to link directly to your business application - always use a secure intermediary IAM or SSO solution to control application access and manage additional authentication factors for sensitive business applications.

More Stories By Tom Smith

Tom Smith is the Vice President of Business Development & Strategy for CloudEntr at Gemalto. He has over 30-years of experience with security, mobile, and cloud technologies including founding executive roles at four technology companies. In his current role as VP Business Development and Strategy, CloudEntr at Gemalto, Tom is helping define and execute Gemalto’s identity and access initiatives in the cloud.

In his prior roles as CEO at both IronStratus and Countermind, he drove the strategy for the business and the go to market for their mobile and cloud offerings. Tom was also a founding executive of @hand Corporation, and has held various other positions including Dir. of Strategic Initiatives at Dazel Corporation, various Sales Management roles at Rational Software and at Hewlett-Packard. He has a Bachelor of Science in Computer Science from Iowa State University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
One of the biggest impacts of the Internet of Things is and will continue to be on data; specifically data volume, management and usage. Companies are scrambling to adapt to this new and unpredictable data reality with legacy infrastructure that cannot handle the speed and volume of data. In his session at @ThingsExpo, Don DeLoach, CEO and president of Infobright, will discuss how companies need to rethink their data infrastructure to participate in the IoT, including: Data storage: Understanding the kinds of data: structured, unstructured, big/small? Analytics: What kinds and how responsiv...
The Workspace-as-a-Service (WaaS) market will grow to $6.4B by 2018. In his session at 16th Cloud Expo, Seth Bostock, CEO of IndependenceIT, will begin by walking the audience through the evolution of Workspace as-a-Service, where it is now vs. where it going. To look beyond the desktop we must understand exactly what WaaS is, who the users are, and where it is going in the future. IT departments, ISVs and service providers must look to workflow and automation capabilities to adapt to growing demand and the rapidly changing workspace model.
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
Hadoop as a Service (as offered by handful of niche vendors now) is a cloud computing solution that makes medium and large-scale data processing accessible, easy, fast and inexpensive. In his session at Big Data Expo, Kumar Ramamurthy, Vice President and Chief Technologist, EIM & Big Data, at Virtusa, will discuss how this is achieved by eliminating the operational challenges of running Hadoop, so one can focus on business growth. The fragmented Hadoop distribution world and various PaaS solutions that provide a Hadoop flavor either make choices for customers very flexible in the name of opti...
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize supplier management. Learn about enterprise architecture strategies for designing connected systems tha...
Wearable devices have come of age. The primary applications of wearables so far have been "the Quantified Self" or the tracking of one's fitness and health status. We propose the evolution of wearables into social and emotional communication devices. Our BE(tm) sensor uses light to visualize the skin conductance response. Our sensors are very inexpensive and can be massively distributed to audiences or groups of any size, in order to gauge reactions to performances, video, or any kind of presentation. In her session at @ThingsExpo, Jocelyn Scheirer, CEO & Founder of Bionolux, will discuss ho...
Even as cloud and managed services grow increasingly central to business strategy and performance, challenges remain. The biggest sticking point for companies seeking to capitalize on the cloud is data security. Keeping data safe is an issue in any computing environment, and it has been a focus since the earliest days of the cloud revolution. Understandably so: a lot can go wrong when you allow valuable information to live outside the firewall. Recent revelations about government snooping, along with a steady stream of well-publicized data breaches, only add to the uncertainty
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
As organizations shift toward IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection &E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his session at 16th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Partnerships, will discuss how to cut costs, scale easily, and unleash insight with CommVault Simpana software, the only si...
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
Operational Hadoop and the Lambda Architecture for Streaming Data Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, representing a model of how to analyze rea...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
HP and Aruba Networks on Monday announced a definitive agreement for HP to acquire Aruba, a provider of next-generation network access solutions for the mobile enterprise, for $24.67 per share in cash. The equity value of the transaction is approximately $3.0 billion, and net of cash and debt approximately $2.7 billion. Both companies' boards of directors have approved the deal. "Enterprises are facing a mobile-first world and are looking for solutions that help them transition legacy investments to the new style of IT," said Meg Whitman, Chairman, President and Chief Executive Officer of HP...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...