Last updated: 21 March 2014
Here’s a familiar scenario: I hear about a great website/service that interests me. It’s free, but I have to create an account to use the service. I’m not sure I’m going to keep using the service, so I hesitate to set up an account.
Then I notice that I can login using my LinkedIn profile, interesting. A few clicks and I’m in. And the next time I return to the site, I don’t have to remember a password, I’m welcomed back automatically.
That’s the power of social login in a nutshell – it’s really easy for the user (me in this example) to set up an account. I don’t have to manage any new accounts or passwords. And the website I’m logging into gets a new customer, quickly and easily.
You might like it as a consumer – but should you enable social login for your business? Specifically, should you offer social login to customers on your website (B2C use case) and is there a role for social login for employees (the Business-to-Employee or B2E use case)?
Spoiler alert: I’m talking about this topic (Social sign-on: Are you unknowingly sharing more than your password?) at the upcoming RSA Conference in San Francisco, CA February 24th. I believe that there is a value to social login even in the B2E case – but it has to be managed differently for employees than for customers.
The implications of linking accounts
Offering social login to your customers saves you a lot of work. The social media site has already verified the customer’s login by the social media site linking it to a real email address. And with social login providers/aggregators like Gigya and Janrain, it’s simple to offer social login using multiple social networks.
But to make an informed business decision, you have to look behind the scenes of the login to what happens when you link the accounts.
Linking the new account to the social media account is a binary, yes/no operation for the user. Once linked, the new website may access all kinds of information on my profile – including:
- My birthdate
- Photos of me with family, friends
- My email address and phone number
- My employer and job title
- My interests
This information sharing is the key point when it comes to the business decision to do social login.
In the B2C (consumer or customer) case, social login gives you access to deeper profile information that you can use to customize the user experience for your customers. Knowing a customer’s interests, for example, you can make sure they find information or products related to those interests on your site.
In the B2E context, this personal information from the social media profile is unnecessary and a potential risk. Social login gives criminals more avenues into personal information and logins, especially if employees are in the habit of using weak passwords or reusing passwords across multiple sites. Take another look at that list of data that might be shared – it’s practically a laundry list of the information that a cyber criminal might need to execute a social engineering or spear-phishing attack aimed at me to that can ultimately reveal my login credentials and gain them access to my company’s business applications.
To make social login work for employees, you have to do a few things differently.
Social login strategies for employees
You already know the pertinent information about your own workforce such as name, role, department, and role-based permissions. (You might be better off not knowing their personal interests.) To reduce the risk of fraud or inappropriate access, you don’t want to link social media accounts directly to business accounts. However, social login can be useful for your employees, as it reduces the number of passwords they have to track.
There are two pertinent steps to give your workforce the benefits of social login for business-related web applications while protecting the security and privacy of business data:
Create a secure ‘firewall’ between the social network and business applications.
Don’t link the social network directly to your business applications. Instead, link them to an identity and access management (IAM) or web-based single sign on (SSO) solution like CloudEntr that provides access to the authorized business applications downstream. Used in this way, your business maintains its role as the authority or curator of employee identities and business application access at all times.
Add strong authentication for sensitive business applications.
Do your employees ever leave Facebook open on a home computer, or re-use the same insecure password between Twitter and other things? You don’t want your business applications to be at risk every time there’s a breach involving their social credentials. If you’ve set up a secure firewall with IAM or SSO, you can add a second authentication factor, such as a one-time password sent to the employee’s phone, before allowing access to your applications. This way, even if someone compromises the social media account or its credentials, they cannot easily gain access to your business accounts.
These steps are illustrated below:
You can see here, your business retains full control over all business application logins through the IAM or SSO solution. No personal data is exchanged between business applications and social media networks. If someone leaves the company, you can instantly remove access to those applications with their social media account by shutting off access in the IAM or SSO. This does not, however, affect the employee’s ability to access their personal social media account. If someone manages to steal the employee’s social login credentials, two-factor authentication means that the identity thief is shut out of your business applications.
Since social login is only one method that an employee could use to login to business apps, a problem with the employee’s social credentials does not shut them out of their business applications if they can authenticate directly with the IAM.
This approach is feasible even for small companies without existing investments in IAM solutions. A simple web-based SSO solution with strong authentication capabilities can fill the role of social login secure bridge quickly and securely, offering employees the instant benefit of simpler logins and secure password management, while giving businesses the control and visibility needed for good governance and compliance.
Interested in exploring social login for your business? Going to RSA?
Stop by my RSA Conference speaking session to hear more or discuss social login personally:
- Wednesday, February 26th at 11:20 AM
- Moscone Center, West Room 3005
Can’t make it to RSA?
If you cannot make the session, send me a line or comment here – I’d be interested in hearing your thoughts or answering any questions you might have about social login coupled with strong authentication and cloud SSO.