Is social sign-on the next step for online security?
Is social sign-on the next step for online security?
Han van Meegeren was born at the end of the 19th Century in the Netherlands and went on to become one of the world's most prolific art forgers.
A talented artist, the story goes that van Meegeren turned to fraud when he became frustrated by critics' failure to lavish praise on his own original works. He decided to use his undoubted technical skill as a painter to create a new work in the style of Vermeer and pass it off as a hitherto-undiscovered original.
The scam netted him the equivalent of $60m over his lifetime, with one of his paintings sold into the personal collection of Adolf Hitler's right hand man, Hermann Göring. This particular painting would be his downfall - when the war ended in 1945 and the authorities came to the seller van Meegeren to reunite the painting with its original owner, he refused to answer and was convicted of treason. Admitting that he was the painting's owner would have blown his scam wide open.
Art forgery is still a major problem today, with European experts estimating that as much as half the art on the market could be fake. But the problem of proving that something is as it appears is not confined to the art world. Today we face an increasingly thorny problem: how to prove that we are who we claim to be. This is especially difficult as more and more of our lives move online – in many ways our identity on the internet has become what defines us.
Yet every time we establish a new connection with some online resource or new website, we face the same tedious process of recreating a new identity – an account with that site, a new username and password to remember for next time we visit. And if the next time we visit is in six months or a year, remembering that username and password can be a real problem – for us and the site we are visiting.
We are at a stage now where individuals engage with so many entities online that it has become extremely difficult to remember each and every combination, particularly when a website may be visited infrequently.
In fact, studies show that the average 25-34 year old has 40 online accounts. The solution for most users is to replicate details across many or all of their online services. The security issues here are obvious.
So perhaps a more pragmatic approach would be for each user to work with one standardised online identity, giving individuals the opportunity to connect to sites quickly and efficiently. A single, consistent identity that proves we are who we claim to be.
These are some of the drivers behind the rise of social access solutions. Rather than every site requiring a new username and password, “social access” means using one, standardised social identity to engage with sites and services quickly and easily. Instead of logging in with a username and password specific to each site, users are given the option to access the service with their existing social media profile details.
As the likes of Facebook and Twitter increasingly become centralised hubs for activity in today's digital world, there is an opportunity for them to become the de facto identity providers for frictionless online engagement.
As they grow, (Facebook has over one billion users), they will almost certainly become entrenched as a basis for engaging with online stores and government services. This is all the incentive Facebook, Twitter and the rest need to cooperate with sites wanting to provide social access to users. The people running social media platforms are smart cookies, and they have sensed an opportunity.
Not everyone, however, looks forward to a more “identity-centric” web experience. Inevitably concerns about personal data being used in such a way have been raised – who will have access to my social identity, and what can they see? Because social access is still new technology there are still plenty of interesting questions about its use.
For example, we're always told to use different passwords for everything to ensure maximum security and some argue that social access goes against that maxim. The reality is that it's still early days in our understanding of how this approach can be applied, and like any technology its application will fit some use cases better than others. For example, no one is yet suggesting that we will be able to access medical records with our Facebook login anytime soon.
Facebook itself has released figures which show that there are 83 million “fake” profiles on the site, more than the entire population of the UK. Given that Facebook's own rules seek to prevent users from establishing numerous or dummy accounts, this admission is a textbook example of how tricky it can be to prove that we are who we say we are online.
To help combat this issue, complementary technologies could be used to increase the security of social access. Multi-factor or context-aware authentication which would allow social sign on to services but only from a certain computer in a certain location would increase security and would enable more sensitive applications of the technology. For now, we should expect to see social identity forming a “lowest common denominator” of authentication with a series of increasingly secure “step-ups” being used to control access to sensitive services.
The British government is convinced that it can make social sign-on work securely, setting a 2014 deadline by which time citizens will be able to apply for jobs, benefit payments and student loans online using social network login details.
Further afield, the City of New York is already using social access to deliver public services. During snowy weather in the Big Apple, citizens could sign in to city information portals using social login details and check when the snow plough would be clearing their street. When social platforms know your address, the whole process of finding information can be expedited and made more user-friendly.
In the end, a population which uses social media as a standard form of communication will increasingly define itself in terms of social identity, and will expect the businesses and government agencies who serve them to follow suit. Gartner has predicted that half of retail logins will be made through social networks by 2015. Soon we are going to have a new way to prove that we are who we say we are. I wonder what van Meegeren would make of it all?
Geoff Webb is director of solution strategy at NetIQ