Yorick Phoenix, CTO
, answered on 2019-05-14T00:33:04.488Z, 9 days ago
Comes down to hold well the passwords at the sites that you are using for authentication are stored and the encryption methods used. Assuming that passwords will be leaked just as easily by your own inside staff as a hacker breaking in, the same applies to those situations. How reversible they are - or are not - is the key.
If users are using weak passwords, it doesn't really matter where they are stored.
If there is some inherent weakness in the 3rd party authentication method then that is obviously a non-starter.
Your ability to wipe all the login tokens / close down individual 3rd party authentication services at will is important too.
The quality of the authentication api's should not be confused with the abuse of their own api's that FB has suffered from.
You have to ask yourself, why are you doing this. Convenience for your staff, the fact that you don't have to maintain your own authentication / security of encrypted passwords?
Neal Bozeman, Investor
, answered on 2019-05-14T14:03:41.054Z, 8 days ago
Social Sign On (aka Single Sign On), is a well defined and secure authentication protocol, and is used in the enterprise to connect disparate apps.
It is highly secure, as there is no need to store any passwords, nor tokens (despite the other answers here). You would only store tokens if you wish to do actions on the SSO source, such as posting to their feed.
With Social, your security is as good as the SSO source, e.g. Facebook, Twitter, Google, etc. If someone has access to an account on any of these that also matches an account on your application, they would be able to impersonate a login to your site. However, in general, the big SSO providers offer higher security standards than most organizations provide, such as multi-factor authentication.
Although you hear about breaches, they are quickly mitigated, and the pressure on SSO providers has quickly brought their security to a high level. In most breaches you hear about, nothing can be done practically with the encrypted password data that was accessed.
I recommend using SSO because it raises the quality of registrations on your site as the user has already been vetted by the SSO provider, and it makes it easier for user to say "yes" to your site.
Kamal Sharma, CIO
, answered on 2019-05-14T15:05:05.402Z, 8 days ago
It is catching up but needs clearly articulated framework for classified information access and security measures defined around it.
Charles Neely Harper, CIO / CTO
, answered on 2019-05-19T13:58:54.668Z, 3 days ago
This is a long and difficult problem for most entities (companies) because it demands discipline from the teams to manage a multitude of login rules and passwords. An attempt was made by the IT community to federate the login by the trust with the social networks and make it easier. The SSO approach was violated when the biggest, Facebook revealed on September 28, 2018 that they were comprised (what does that mean?) and hackers accessed 50 million access tokens. This single event should be a wake up call for all to NOT TRUST any social platform for a SSO. No Cyber professional would design much less advise this is the login of choice. So we are back to the plethora of methods and login credentials we are all faced with in our professional and personal lives. Most Cyber experts have "password managers" they use themselves, and some dont even know the password the manager generated, but as with any tool, there are risks, there is still a master password. So it all comes down to risk, literature supports the length of the password "phrase" type increase the complexity, so encourage this, and don't forget one the best defenses is an educated work force that has some training on hacker and phishing methods.
Bill Philbin, CTO
, answered on 2019-05-21T13:33:15.954Z, a day ago
The wave of the future from a customer perspective is to simplify their sign-on experiences. Millennial's often blur their work/life boundaries, email etc. While platforms like Google, Facebook, Linked in do today offer security shortfalls - the wave of the future will be to consolidate to a few number of platforms.