More and more we see social media and other application sites on the Internet providing single sign-on (SSO) as a feature or service to their visitors.
I’m sure you’ve visited a site and seen an invitation to logon using your Facebook or Google+ credentials. Many times, these sites also encourage you to share articles to Facebook, Google, or other sites. Amazon recently joined this trend and announced Login with Amazon for their customers to use.
You undoubtedly enjoy the convenience of SSO. After all, it reduces the number of different accounts and passwords that you must remember, and that’s a good thing. Right?
Well, it’s not quite that simple. Any time a company offers you a SSO service, remember that their primary motivation is to find some way to monetize their relationship with you, the consumer.
For example, Amazon wants to make it easy for you to use your Amazon ID and password to logon to their affiliate sites. It increases the value of the affiliate’s relationship with Amazon. If an affiliate chooses to use Amazon credentials, that reduces or eliminates the time and effort required for them to create and manage their authentication site. It also has the (desirable from Amazon’s perspective) effect of making Amazon “more sticky” for the affiliate. Facebook, Google+ and other social media sites have similar motivations. But this is a potential problem for several reasons.
First, in many cases, these sites already know a great deal about you. For example, if you completely fill out your Facebook or LinkedIn profile, you share some very personal information with them, such as your date of birth, location, where you work, who you have a relationship with, what kind of job you have, and your personal interests in music, art, politics, etc. While these sites have privacy policies, these policies vary from site to site and country to country, and the vendor may have the right to change them without providing you with notification.
Second, some sites share data with advertisers and other related entities unless you choose to opt-out. This puts the burden on you to define the limits of how they share your personal data. Unfortunately, many people either don’t know how or don’t take the time to review and act on the opt-out process. And like the privacy policies, companies may find ways to reset your choices and the laws governing this activity may vary or change.
Third, these sites are limited in their ability to enforce, or even encourage, strong password policies. As my colleague Janne detailed in his post “The Password Problem”, many people use the same password for multiple sites. This makes it easier to remember the password, but also increases the risk to you if your password is hacked or compromised. When was the last time you checked to measure the strength of your password? When was the last time you reset a password because it had been the same for too long?
For these and other reasons, think twice before you choose the convenience of social media SSO. You may be sharing more data than you bargained for.
To learn more about a solution that doesn’t monetize your information or your company’s, visit our website to learn more about our new McAfee Cloud Single Sign On version 4.0, or connect with one of our Identity experts.