Jump to content
Killersites Forums

Single Sign On (SSO): Security vs. Convenience


Recommended Posts

SSO is almost everywhere, and once embedded it is as hard to dig out as a tick. It is a battle I have been fighting the last year, those in charge want things easy for the employees and the employees don't want to have to remember lots of passwords. I get it.

But I get paid to worry, and what I see is an attacker breaking the SSO password and now having access to all the applications our employees use, many of which have access to both personal Personally Identifiable Information (Pii) as well as Health information. So the issue is really simple, the user need only remember one password and the attacker need only break one password to have the keys to the kingdom.

Social logins are the same way. SSO is simply easier for you isn't it? But now Facebook has lost 50 mil. tokens that can be used to get into those users other sites. They can now breach your twitter account, facebook account, Google account and what else? If I can now get in your Google account, I can reset things, I can change your telephone number to mine, have your second authorization come to my phone. 

Ask yourself, is my mobile phone number available on my accounts? Ever heard of SIM Switching? I can call a mobile phone host, create an account and say "I want to come to you, please switch my telephone number" and usually with little to no checking of authorization they will activate your number in my new phone, now I can get access to any account attached with that phone number, I can even empty your bank account.

So what is more important to you? Your security or your ability to quickly switch between facebook and twitter etc. without logging in again?


Experts' View: Avoid Social Networks' Single Sign-On



Thanks to Facebook's single sign-on feature, dubbed Facebook Social Login, whoever stole 50 million access tokens from Facebook could have used the SSO service's tokens to log into victims' accounts at third-party services and mobile apps (see Facebook Breach: Single Sign-On of Doom).

Furthermore, Facebook says that because it does not enforce its developer guidelines, it has no way to force a single sign-off for breached accounts. As a result, while it can reset the access tokens for Facebook users, which will automatically revoke them for third-party services that follow its developer guidelines, there are an unknown number of services for which automatic revocation does not work. As a result, those developers will have to manually review and revoke access certificates. But Facebook has offered no details about whether or when it might enforce this guideline (see Facebook Can't Reset All Breach Victims' Access Tokens).

In the bigger picture, security expert Troy Hunt, who runs the free Have I Been Pwned? breach notification service, says the Facebook breach is a warning sign for anyone who might use consumer single sign-on services offered by Facebook, Google, Twitter and other providers.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...