Facing the Facebook Breach: Why Simple SSO is Not Enough

Facebook Breach
Let’s ‘face’ it. The September 2018 Facebook breach was not only a ‘mega’ breach in terms of the 50 millions of compromised users affected, but also a severe breach due the popularity of the social media giant. To recap, cyber criminals got ahold of users’ FB login credentials. The breach was compounded by the fact that many users utilize their Facebook credentials to log into other social media sites, which means that the hackers actually access not only to a user’s Facebook account, but to all other accounts that use Facebook login credentials.

SSO not a social media fashion – it’s an enterprise must

In essence, the Facebook credentials act as a simple, or eat all you want Single Sign On (SSO) for other social platforms. But the popularity of SSO solutions is not just a Facebook fashion. It’s a viable business need, meant for the convenience of organizations that need access to their day to day web and cloud-based applications. Simple Single Sign On offers clear advantages for enterprises: no need to maintain a separate set of passwords for each and every application, reduction of IT overload and password reset requests; increased productivity for employees, contractors and remote workers to authenticate once and access everything they need, any time and any place.

The demand for SSO in enterprises has grown with the rise in the number of web and cloud-based apps. However, along with wide SSO solution implementation has come the risk associated with simple SSO. Only a month before the Facebook breach, the potential ‘massive’ security dangers of Single Sign On was discussed at the USENIX conference in Baltimore. The paper describes how criminals can gain controls of numerous other web services when an account is hacked.

Google+ access to 3rd party apps now a minus

When it comes to third party app violations, Google has not been spared. Its “Project Strobe” revealed stark findings related to their third-party access API – Google+ users. Due to a bug, third party apps were granted access to profile information about users not marked public to begin with. As a result, Google recommended sunsetting Google+ for consumers, concentrating R&D efforts to better control for enterprises on what account data they can choose to share with each app. Apps will need to show requested permission, one at a time, within each dialog box as opposed to all requested permission in a single screen.

Smart SSO with role-based policies

The risks that consumers were exposed to as a result of buffet-style sign on in the Facebook case, also apply to the enterprise. Fortunately, there is a solution: To maintain the convenience of single sign on without compromising on security, enterprises can use Smart Single Sign On. With a smart SSO solution such as Gemalto’s SafeNet Trusted Access, enterprises can define conditional access policies. These policies can restrict or alleviate access to various application, depending on the risk. For example, groups of users would be able to authenticate only once when working in the office, but have to renter their password or other form of 2FA (i.e. SMS, pattern-based code, hardware token, etc.) for more restricted access.

To help increase trust without canning the convenience of SSO applicable to most apps and scenarios, stepping up authentication post-SSO login is an advantage. Enterprises can choose their access controls for specific user groups, sensitive apps and contextual conditions by applying scenario-based access policies.

Trusted Identity as a Service Provider

Using access management, enterprises can federate dozens of cloud applications without unnecessary burdens on IT teams, while keeping in place the necessary protections.

With Smart SSO, proliferation of cloud apps needs not lead to a feast of security breach reports. To learn more about the smart face of single sign on, and prevent an iDaaS-ter (Identity as a Service disaster), download the fact sheet, Matching Risk Policies to User Needs with Access Management, read more about Identity as a Service or watch how Gemalto SafeNet single sign on solutions work in the cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *