Unless you spend very little time on the web, you’ve probably been to sites that require you to log in, but give you the option of using your Facebook or Twitter (or some other) account to log in instead of creating (and remembering) yet another username and password. This “social login” option is popular with the public, but can create problems when the computer code running in the background is configured poorly. That’s what happened to people on many websites for a short time last Thursday, when using their Facebook login on other sites took them to a Facebook page instead of the website they wanted. Social login can also lead to some security problems. So perhaps it may not be time (yet) to let your patrons access their library accounts using their social media accounts.
- Fraud could rise if retail customers use Facebook login (SC Magazine/Danielle Walker) “‘[T]he lack of identity proofing and weak authentication for social network identities can expose merchants to more fraud,’ Gartner said. ‘Service providers therefore have to defend themselves. They may allow social network registration, but augment the process with additional controls when a retail site provides access to sensitive data and monetary transactions.’ The trend will, however, fuel higher demand of specialized vendors that support the use of social networking identities through ‘open standard,’ or publicly available, authentication systems like OpenID or OAuth, which are used by sites like Twitter and Facebook, [Gartner Research VP Ant] Allan said.”
- Facebook hijacks Internet sites for an hour Thursday afternoon (ReadWrite/Dan Rowinski) “The Facebook connection was not just passively disrupting sites, as Web plugins sometimes do, but actively dragging users away from their destination sites to Facebook’s own platform. Developers at Say Media, ReadWrite’s parent company, believe that the problem was caused by Facebook Connect having problems with oAuth authentication that allows users to sign into a site using their Facebook profiles.”
- Twitter clients stay signed in with pre-breach passwords (The Register/Simon Sharwood) “Twitter spokesperson Jim Prosser did not deny that clients can continue to access the service even after passwords have been changed, and told The Reg, by email, that ‘TweetDeck and other clients use [open authentication standard] OAuth, so as long as you don’t sign out, you don’t have to re-input your credential every time you open the app.’ Prosser has also pointed out that the situation described above is an OAuth token issue, not a password issue.”
- Google’s continuing odyssey to sink passwords (ZDNet/John Fontana) “What hasn’t changed, however, is the Achilles Heel that affects Google and other consumer identity federation schemes – the relying party role. These are the Web sites that leave it up to companies like Google, Yahoo, Microsoft, Facebook and others to issue identities. The relying party is the one that accepts those credentials for authentication and must check with the issuer (known as the IdP) to confirm they are valid. The relying party problem is akin to not having any merchants (relying parties) that will accept your credit card.”
There’s a nice graphic on the Wikipedia OAuth page that illustrates how OAuth and OpenID work in simple terms.