Social Networking and Online Security
Replacing UserID and Password Logins with Open Source Web Identities
May 25, 2009
Usernames and passwords that are unique to a single website are becoming an old-fashioned way to secure information online, following the trend towards interactive sites that share information like Facebook and Twitter.
Using developing open-source standards with names like “OpenID” and “OAuth,” more and more sites are allowing users to log in using credentials they signed up for on a different site entirely. This in turn forcing users to shift their online security concerns from the sites themselves to the hidden code that encrypts the password they use in any number of places.
Single Sign-on Systems
The vision of a single sign-on (SSO) system is to allow a user to enter a login and password into a trusted site, and use those credentials to gain access to another site. The user is redirected to the credentialing site to log in, and their username or other identity is then used to log in to the new site, allowing users to have a consistent web identity.
The amount of information that is shared varies with the exact service, but is generally controllable by the user (although the methods for doing so may not be clearly explained). The two most prominent of these systems are OpenID and Facebook Connect.
- OpenID is an open-source system that employs unique web addresses that identify users. Participating sites include AOL, Livejournal, Blogger, and MySpace. Any person who has made an account with a participating site can use their information to log into other OpenID sites. Since URLs (web addresses) must already be unique, the problem of having one's username “stolen” by another person is resolved.
- Facebook Connect is a proprietary system that allows Facebook users to share information with other sites, and with other Facebook users. For example, a Facebook user with a Netflix account may connect the two in order to display upcoming movies in their queue. Facebook Connect can also be set up to replace the site login, similar to how OpenID works, and allows participating sites access to aggregate user data the way Facebook Pages do.
Using Third-Party Applications
Web 2.0 sites are relying more heavily on application program interfaces (API), which allow third-party developers to make applications that use the original site's information. Twitter is a fine example of this; any number of sites and software applications are available that interact with the data stream provided by the microblogging site.
Users typically enter their Twitter login information into the third party sites so that their Twitter accounts can be accessed for either reading or writing new information. However, Twitter itself warns on its help pages that “if you've entrusted your user name or password to a third party application, or if your Twitter account is vulnerable due to a weak password or compromised network, your account may be compromised.”
A security solution that Twitter is now supporting is called OAuth, and it's designed to allow the third-party application access to the user's data without actually giving it the password to the account. The downside to OAuth is that, unlike Facebook Connect and OpenID, there is no way for a user to confirm that OAuth is present and doing its job, because it works entirely behind the scenes.
Once a way for users to observe the authorization as it takes place is designed, it should allow sites with more sensitive information than Twitter to participate in this type of data sharing.
Online Identities and Security
As the internet migrates towards universal web identities, users must continue to be mindful only to enter sensitive information into sites that they trust, and to safeguard usernames and passwords. It is still very easy to make a dummy site to trick users, and it's extremely difficult to know if passwords entered into third-party sites are actually secure or not.
This is no more serious than the concerns about credit card numbers in the 1990s, and now they are generally considered secure by most users.
 |
 |
 |
