Facebook Single Sign-On Equals Internet Headache
Reports came out recently that, once again, Facebook has been breached. Hackers were able to take over the accounts of at least 50 million users. As this Wired article points out, it wasn’t passwords that were hacked, but access tokens.
One thing that the Wired article details, and which is summed up in this post, is the issue of using Facebook as a Single Sign-On (SSO) solution.
Many websites allow individuals to use Facebook to log into a site’s services. Most of those sites don’t force the user to enter their password again to confirm their identity. The thing is, all of those websites that don’t require the password a second time are also affected by this Facebook breach. Many of those sites contain sensitive personal information, including credit card information, birthdays, and other vital data that heighten the risk of your identity being stolen.
There are several specific things you can do to help mitigate this headache: 1) using a strong SSO solution; 2) changing passwords; and 3) keeping things up to date.
Remember, if you’re not paying a company for their product, you are the product. Enterprises like Facebook and Google thrive on the use of the information you provide them. Using your accounts with them as a single sign-on vehicle allows them to build a stronger internet profile about you.
A better approach is using a solid SSO solution. For example, at Ivanti we use Okta for our SSO. One advantage of Okta is Active Directory integration—allowing password policies such as complexity, reuse, and how long until they change to sync to Okta—and multi-factor authentication. Separating websites from Facebook’s SSO will also help. Doing so safeguards your other accounts if Facebook gets compromised again.
Changing passwords after a breach like the one at Facebook is always good hygiene. Even if this breach didn’t concern passwords specifically, you never know whether or not a service you use has been compromised by the bad guys. Ivanti Password Director helps simplify password resets for your users with self-service capability.
Keeping Things Up to Date
The Wired article mentions that the iOS Facebook app had some vulnerabilities in allowing cookies to be hijacked. The Facebook app has been patched, but users may not have downloaded it yet. Ivanti Endpoint Manager allows your IT team to keep iOS, Android, Windows, and Mac devices up to date.
To sum it all up, using a company as your SSO that specializes in using your data can be a bad idea as evidenced by the recent Facebook breach. If you’re going to use an SSO, make sure it’s one that exists for that very purpose. Check out our Password Director tool so your users can reset their passwords easily and as needed. Last but not least, keep your systems and applications up to date with Ivanti Endpoint Manager. You’ll make it more difficult for the bad guys to gain a foothold.
Kaleb Knobel is a Security Engineer at Ivanti and has also worked as a Technical Support Specialist for the State of Utah and a Service Assurance Technician for Integra Telecom. He is working towards a bachelor’s degree in Computer and Information Systems Security/Information from Western Governors University.