In some of my previous blog posts, I’ve written about the stringent password rules that some web sites employ in the name of protecting themselves and the end user from theft. In turn, the end user, while acknowledging the need for security, is always looking for an easy and quick way to get things done. I admitted that in the past, I had taken to using the same user ID and password combination on many different web sites. I quickly learned that many thieves think the same way. They are hoping you use this shortcut because if they steal your password for one site, they have it for many others as well.
A new phenomenon which introduces some of the same benefits and problems is the practice of allowing an end user to use their social media user ID and password to log into a web site. I can login to some web sites now without setting up a site specific user ID and password. These sites are giving end users the option to click on an icon for sites like Facebook or Twitter to verify who the end user is. End users do not need to spend time choosing a user ID, choosing a password, answering security questions, and building account information. Their existing identity on Facebook or Twitter is enough to provide verification. The convenience is a huge plus for both the web site owner and the end user since the selling and buying can take place so much quicker.
Upon further examination, this convenient practice might be even worse than using the same user ID and password for all your online accounts. Why? Let’s say I am already logged onto my Facebook account as I busily work away at my local coffeehouse. I take a much needed break and get in the long line to order a vente café mocha latte double espresso (sorry . . . I don’t drink coffee). At any rate, a curious coffeehouse patron with evil intent notices my unattended tablet. They pop open a browser window and logon to Best Buy . . . using my Facebook identity! If I made the mistake of storing my credit card information within the account, I have just gifted our thief a new Wii console. Wow! This new social login process is convenient for everyone… site owners, end users… and thieves!
I realize I’m not providing a solution here, but I do have a concern that the rush to make things easier will end up making life more difficult in another way. I’m all for advances that make me more productive, but they need to be thought through to determine if security holes have developed. I think it is clear that there is a problem with the current social login approach so maybe this approach shouldn’t be used by web site owners who are selling something or those who have the end user’s personal information available.