Thought we might have a topical identity discussion today, with the Facebook IPO minutes away. Wonder what it must have felt like to wake up Mark Zuckerberg this morning? Probably better than me.
Many of my clients in higher ed are considering using Facebook logins as valid credential for single sign-on into their systems. Its very tempting, particularly on college campuses, as almost all students have a FB account, the security on the federation is based on industry secured standards, and it means having Facebook deal with user account management. Other companies play with the idea of using these common OpenID type logins as a way to ease access by users and eliminate the admin of their accounts.
But I would caution against jumping in 100%. It makes sense if you want to have a prospective student log in to a front end portal to upload their application or sign up for some seminars or a job candidate uploading an resume, but once they need access to secured, sensitive systems internally, they need to have their security protocol improved. And if the identity and authorization service provider is outside the control of the organization, serious problems can erupt.
For example, Facebook’s password policies are usually much less strict than internal policies, so users may not meet internal password formation.
Second, relying on a third party for identity is not a good security idea, especially when its a social media company like Facebook that encourages “sharing”. You are at the mercy of the privacy policies and machinations of Facebook. Students often share userid’s and passwords and there is no verification when the account is originally created. Many abandoned accounts lie in Facebook (tons more in MySpace). Too many web pages auto-login Facebook users and leave them signed in on accessible workstations and smartphones.
Lastly, the lawyers will get all twisted up. Privacy policies are governed by Facebook and we are still not clear who owns the account or user identity, the user or Facebook. Or when and if that may change. We do know, the company lawyers will make a muck of legally who owns the user account.
So use the pass-through login of Facebook, LinkedIn, Twitter, etc., to simplify new users into your online world, but be very clear when the open handshake must end and the user become an enterprise validated user at some point.
Leave a Reply