(869) 466-6624 info@theitfacility.com


Do Not Use Social Media Credentials for Authentication (OAuth 2)

In the previous parts I have cautioned against using your social media account and credentials to authenticate or log-in on other web sites or services. I know it’s difficult and in some cases it doesn’t look as though one actually has a choice as almost every web site or web service encourages you to sign-in with your Google+, FaceBook or Twitter account credentials, but as will be explained I’m not so sure the risks and downsides are not worth the trade off.

So What is OAuth 2 or OpenID and How Does it Work?

Essentially, more and more web services require users to have either an account or to provide details to ensure that at the other end of the connection is a valid human user. That represents work for that service provider in managing a users database of usernames and passwords.

OAuth/OpenID seeks a "referral" or "recommendation" from sites where you are known.
OAuth/OpenID seeks a “referral” or “recommendation” from sites where you are known.

OAuth 2 and OpenID offer what is known as Single Sign On – that is you can log into one platform with your credentials and use those credentials elsewhere – and gets around that by saying using a digital “referral” system of saying well I don’t know you but you’re known by my good friends at Google, Twitter or FaceBook and if you check out with them it’s good enough for me.

So Where’s the Problem You Ask?

You’d be thinking that’s cool, I don’t have to mess around creating another account and waiting for an e-mail confirmation and have another user account and password to remember, let’s go! The people behind the new web services gets another user and doesn’t have to manage the user administration so it’s a slam dunk and a “win win” for everyone.

fdpn-doubtful-manSome of you might be thinking, slow down a bit, not so fast there has to be a catch somewhere. Well done reader, you’ve obviously read some of my other posts, and have taken “Trust but Verify 101”, a Gold Star for you, go to the top of the class. There is no such thing as a free lunch remember!

The good people at Google, FaceBook and Twitter or which ever social media site used to provide authentication details now record that John Smith is logged into acme.com with his credentials and he visits acme.com 3 times a day and also bonzo.biz and so on. All of this adds to the huge data-warehouse of information they’re gathering on you as you are no longer leaving digital breadcrumbs but whole slices of bread and jam behind.

This helps them complete their data trove of information about your preferences and adds another facet to your online persona which they are building to be able to market your data or target ad’s to you more effectively based on the sites you visit and your interests.

It Gets Worse

OAuth which has been around for some years as indicated by the Release or Version #2 but it has only recently been checked for security after about 10 years, and a number of vulnerabilities and inconsistencies have been found. Researchers at the University of Trier in Germany conducted a formal Security Analysis of OAuth 2.0 and have found significant and widespread vulnerabilities in the protocol.

The Problem has Gone Mobile

fdpn-mobile-devicesThe situation is worse in the mobile application space where some application developers have been using the “OAuth protocol” or specification rather loosely – baring in mind that the protocol was never intended to be used for anything other than website authentication.

Similar research of hundreds of applications which use OAuth 2.0 running on Android fail to follow the protocol specification and therefore expose users to greater risks. An assessment of the top 600 mobile apps that use OAuth found that more than 40% were non-compliant and potentially allow user’s accounts to be fraudulently used to make purchases and other things.

In short the risks certainly out-weigh the convenience gains! Don’t use it create an account and if necessary, use a password manager such as LastPass, which has recently made their mobile version available for free!!

Images courtesy freedigitalphotos.net