Jump to content
Killersites Community
Sign in to follow this  
LSW

Single Sign On (SSO): Security vs. Convenience

Recommended Posts

SSO is almost everywhere, and once embedded it is as hard to dig out as a tick. It is a battle I have been fighting the last year, those in charge want things easy for the employees and the employees don't want to have to remember lots of passwords. I get it.

But I get paid to worry, and what I see is an attacker breaking the SSO password and now having access to all the applications our employees use, many of which have access to both personal Personally Identifiable Information (Pii) as well as Health information. So the issue is really simple, the user need only remember one password and the attacker need only break one password to have the keys to the kingdom.

Social logins are the same way. SSO is simply easier for you isn't it? But now Facebook has lost 50 mil. tokens that can be used to get into those users other sites. They can now breach your twitter account, facebook account, Google account and what else? If I can now get in your Google account, I can reset things, I can change your telephone number to mine, have your second authorization come to my phone. 

Ask yourself, is my mobile phone number available on my accounts? Ever heard of SIM Switching? I can call a mobile phone host, create an account and say "I want to come to you, please switch my telephone number" and usually with little to no checking of authorization they will activate your number in my new phone, now I can get access to any account attached with that phone number, I can even empty your bank account.

So what is more important to you? Your security or your ability to quickly switch between facebook and twitter etc. without logging in again?

 

Experts' View: Avoid Social Networks' Single Sign-On

https://www.databreachtoday.com/blogs/experts-view-avoid-social-networks-single-sign-on-p-2670

Quote

Thanks to Facebook's single sign-on feature, dubbed Facebook Social Login, whoever stole 50 million access tokens from Facebook could have used the SSO service's tokens to log into victims' accounts at third-party services and mobile apps (see Facebook Breach: Single Sign-On of Doom).

Furthermore, Facebook says that because it does not enforce its developer guidelines, it has no way to force a single sign-off for breached accounts. As a result, while it can reset the access tokens for Facebook users, which will automatically revoke them for third-party services that follow its developer guidelines, there are an unknown number of services for which automatic revocation does not work. As a result, those developers will have to manually review and revoke access certificates. But Facebook has offered no details about whether or when it might enforce this guideline (see Facebook Can't Reset All Breach Victims' Access Tokens).

In the bigger picture, security expert Troy Hunt, who runs the free Have I Been Pwned? breach notification service, says the Facebook breach is a warning sign for anyone who might use consumer single sign-on services offered by Facebook, Google, Twitter and other providers.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×