Password-Based Single Sign-On: Big brands of innovation – which would include Apple, Facebook and Google – are struggling to monopolize the “single sign-on” sport. A simply stated, password-based single sign-on allowing individuals to use their existing login and password credentials from one of these major multinational technology brands to access third-party sites. This saves consumers the time and effort required to come up with new logins for every online service they may access.
Ideally, this is meant to prevent the creation and use of weak passwords that are so often quickly created and then forgotten for “one and done” or infrequently used services.
These Major Multi-national Technology brands (we’ll just refer to them as MMTBs moving forward.) are leveraging consumer fears and fatigue about hacking to convince users to put their faith in their universal presence and overall reputation, despite lingering privacy concerns that might apply.
Essentially, they want those who’ve adopted and rely on their technological ubiquity to trust them as their go-to source for collective account security. But collective account security takes on new meaning in today’s digital transformation environment.
Employees are constantly interacting with third-party applications and services using static credentials, both on and off the clock, and a compromise on one side could likely put individual and enterprise network/data security or collective account security at risk on the other.
While some versions of single sign-on use biometric authentication, such as Face ID and Touch ID for Apple devices, they otherwise conform to traditional password-dependent/password-based single sign-on practices. This is why I think single sign-on with passwords is a bad idea.
The MMTBs aren’t security companies. While at first glance, this might appear obvious, your average user/employee is probably not taking into consideration that security and anti-fraud aren’t MMTB core offerings. Rather, this is a zero-sum game to sweep up as many users as possible while promising to deliver a simpler but safe experience.
Yet, the promise rings hollow. Think about it: you wouldn’t go to a carpenter to get a root canal, why should you entrust the security of your enterprise’s network and critical data to the MMTBs?
“Historically, security means less simplicity; The MMTBs don’t want the log in/password processes to be too secure.” A higher standard of security comes with the potential to create more digital friction and impact the end user experience.
MMTBs would much prefer a simple single sign-on to a more vigilant approach that doesn’t depend on passwords as the first or only security factor, especially if it means users disengage in frustration or impatience and turn to the competition instead. In today’s unrelenting hacking environment, no business should feel comfortable trading security for easy access.
The password-based single sign-on greatly expands the attack surface. The problem with creating a single sign-on handling multiple web services’ static password credentials is that the experience focuses on easing login headaches, not the security of the brittle passwords, themselves.
Passwords cached in a platform are still vulnerable to breaches at other organizations or being trafficked in the cybercrime underground.
One username and password combination for not only your MMTB account, but your bank, health provider, car/home insurer, etc., means hackers only have to break the code once to gain access to… well, pretty much everything. What’s more, it’s easier than ever to do this because…
The “Forgot password?” option is a hacker’s best friend. If attempts gain account access through the use of phishing emails, keyloggers or credential replay attacks fail, cyber-criminals have the option of simply clicking the “Forgot password?” button.
Many of the typical questions prompt to reset passwords (“What is your mother’s maiden name?,” “What was the name of your first pet?,” “What is your favorite movie?,” etc.), simply by calling up and viewing information available via social media accounts of targets can be addressed.
MMTBs are data-hungry. Once MMTBs have your information, they can do all sorts of things with it – and some of these things aren’t good. Twitter, for example, recently acknowledged that it used emails and phone numbers entered for two-factor authentication to target ads to users.
While Twitter claimed this was inadvertent and quickly corrected course, this development illustrates how easily information can be misused, especially when new revenue streams can result.
The fact of the matter: Everything is about conviction. A password-based single sign-on alone doesn’t raise the bar – in fact, it lowers it. Passwords themselves are rapidly becoming passé.
As long as they’ve existed, hackers have had an entry point to compromise accounts and networks, that’s why the security industry is working on the next generation of authentication tools to eliminate passwords entirely.
The MMTBs have demonstrated extraordinary innovation in development of search engines, hardware, social media, mobile, tech, digital entertainment and countless other offerings.
Yet, by clinging to this outmoded form of authentication, they reveal that they continue to remain a step or two behind from a security perspective. So, until they evolve beyond usernames and passwords as the first security factor – you probably don’t want to trust they’re ready to protect you.