From social media to gaming sites, every headline of a new breach makes me groan, “Time to change my password.” It’s a begrudging task, but I still have not been pwned. Aside from the risks associated with the common problem of password recycling among consumers, there are far too many online websites that enable consumers to sign in to other accounts using their social networking or webmail credentials.
For the last few years, there has been much speculation about the future of single sign-on for consumers. The question has been raised and discussed in many a blogosphere about the possibility of technology giants like Google, Apple, or Facebook being identity providers. The string of recent breaches shows exactly why, at least in my humble opinion, that is not a very good idea.
The recent breaches made me hyper-aware of all the potential accounts that can be accessed using my Facebook and Gmail login, for example. The risks are clear. By allowing one account to serve as the “master key” to have access to others is just opening the door to hackers to compromise your identity across numerous other sites including where you shop, play games, or buy music.
Besides the obvious identity risks, there are privacy concerns. What happens to your data when you enable access to other applications or accounts from Facebook, Gmail, LinkedIn, Twitter, and a host of other providers? I don’t know about you, but I don’t want random sites being able to monitor and collect information on my habits and preferences as I surf the Web.
There is also the concern of “write” access. For those of you who are Twitter fans, a recent article discussed the perils of allowing apps to access and post on your account on your behalf.
Single sign-on, or SSO as it is commonly referred, is in place within many organizations to enable users to access multiple enterprise applications on the same network. In these organizations, users may need to access different servers and different applications, each possibly requiring unique IDs and passwords. SSO enables a user to sign on once with a single user ID and password and access all of it without having to directly log in to any of them. It’s the perfect solution in the controlled environment of the enterprise and has probably helped saved millions in IT help desk costs associated with password resets.
For consumer brands, this type of “single sign on” to multiple accounts is meant to provide an added level of convenience to the user experience. This is why login credentials, even more so than bank accounts and credit cards, are highly sought after by hackers. So while we think convenience, not risk, a hacker is counting on the probability the same credentials you use to access one site are the same ones you use to access all sites.
How we conduct ourselves in our business life vs. our personal life is often very different. In many cases, we are forced to act within the confines of security policies set by our employer. However, that same level of care we take when at our office desk fails to spill over into our consumer life. We take the easy way out, and expect quick and convenient service. As long as the password continues to live on, it is important that we start to make minor changes in our behavior. Varying our passwords across the sites we use most often is a small step in the right direction. Even if they mirror one another closely, changing up a single digit or character can make all the difference in stopping a hack.
The post The Perils of Consumer Single Sign-On appeared first on Speaking of Security - The RSA Blog and Podcast.