Social logins: What’s really at risk?

Social logins go a long way to enhance the user experience, but how do you secure social login sessions?

As a consumer, I love the simplicity and convenience of using my social login from sites like Facebook and LinkedIn to access new sites, shopping, and more.

I recently needed to access my healthcare portal app on my iPhone and couldn’t remember my user name or password. So I just clicked the login with Facebook button, entered my Facebook credentials and, voila! I was in. I can access all of my recent health screenings, lab results, height, weight and other personal information like name, address, birthdate.

As a marketer, I understand the increasing importance of making the online user experience as seamless as possible. Social logins are one way to improve the user experience and lower dropout rates. Marketing departments know customers don’t want to log in multiple times or fill out yet another form.

Widespread use of social logins

According to a Blue Research report “90% of people have encountered social login before, and more than half of people use it.” With multiple accounts, people struggle to remember sign in information. The registration ease delivered by social login means that people are more likely to stay on the site and purchase products. Social logins also can provide businesses with rich demographic data about their customers. Just think about all the data that Facebook collects about its users.

The other side of the social login coin

But social logins are also a double edged sword. If one of those social login providers is hacked, it has a domino effect. All the other accounts a person uses that profile to sign into can also be at risk. And this creates even greater challenges for those of you responsible for keeping your enterprise network and data secure.

While mobile computing and expanding access to cloud-based applications have joined forces to make your static security perimeter ineffective, multi-factor and risk-aware authentication has made gaining network access via stolen credentials increasingly difficult. That has forced hackers to find more creative ways to get into your system. User sessions – where an individual is already logged into an application – are near the top of a hacker’s alternative hit list, and social logins are a vulnerability because of the treasure trove of data and access they may offer.

But there are some things you should consider when trying to increase session security without unnecessarily impacting the positive user experience gained from social logins.

  1. Understand that different access and actions carry different risks if data is exposed.
  2. Assess each class of interaction and apply security controls that are appropriate to the potential threat.
  3. Having a secured centralized session is a much better approach to application security than having to manage session security separately for each individual application.
  4. The two most successful methods for enhancing session security are continuous device verification and risk based authorization.

 

Find out more about how you can counter the risk of session hijacking by downloading this free eBook.


Monique is a Director of Product Marketing for CA Single Sign-On and CA Directory at…

Comments

rewrite

Insights from the app driven world
Subscribe Now >
RECOMMENDED
DevOps and Cloud: Better Together >Cloud and DevOps: The Bacon and Eggs of the Modern Software Factory >Staying Positive in the Age of Ransomware >