Euro Security Watch with Mathew J. Schwartz

Access Management , Digital Identity , Fraud Management & Cybercrime

Experts' View: Avoid Social Networks' Single Sign-On

Use Password Managers and Unique Passwords for Every Service and App
Experts' View: Avoid Social Networks' Single Sign-On

Step away from single sign-on for consumer web services.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

Thanks to Facebook's single sign-on feature, dubbed Facebook Social Login, whoever stole 50 million access tokens from Facebook could have used the SSO service's tokens to log into victims' accounts at third-party services and mobile apps (see Facebook Breach: Single Sign-On of Doom).

Furthermore, Facebook says that because it does not enforce its developer guidelines, it has no way to force a single sign-off for breached accounts. As a result, while it can reset the access tokens for Facebook users, which will automatically revoke them for third-party services that follow its developer guidelines, there are an unknown number of services for which automatic revocation does not work. As a result, those developers will have to manually review and revoke access certificates. But Facebook has offered no details about whether or when it might enforce this guideline (see Facebook Can't Reset All Breach Victims' Access Tokens).

In the bigger picture, security expert Troy Hunt, who runs the free Have I Been Pwned? breach notification service, says the Facebook breach is a warning sign for anyone who might use consumer single sign-on services offered by Facebook, Google, Twitter and other providers.

"Yet another reason why password managers make so much sense," Hunt says. "I never sign up to a service using social login. I create a new account, generate the password via 1Password then store it there. Think of it as sandboxing all your identities."

Many other password managers - aka password safes - are also available. Regardless of which one you select, the imperative, experts say, is to always create individual, unique logins for every site or service you use. That way, if one site or service gets breached, attackers can't use the same username and password to log onto any other accounts you might have, in what's known as a credential-stuffing attack (see Credential Stuffing Attacks: How to Combat Reused Passwords).

Security and Privacy Concerns

Many other information security experts also recommend avoiding consumer SSO at all costs.

"Personally, I recommend people don't use social media single sign-on services. They represent a security and privacy concern for a number of reasons," Alan Woodward, a visiting professor of computer science at the University of Surrey, tells me.

For starters, "they are a single point of failure outside of one's control," he says. "I'd much rather use a password manager that I control, although obviously they are not invulnerable."

Other problems concern OAuth, which is the framework - not standard - most often used by social media firms to create their SSO services. Unless all developers involved correctly configure, test and implement their OAuth deployments, they may be accessing more user data than they require, as well as exposing users to replay, phishing, credential-guessing and cross-site request forgery attacks, the Internet Engineering Task Force warns (see Phishing Defense: Block OAuth Token Attacks).

"A big concern is that it lends itself to phishing attacks," Woodward says of OAuth. "Set up a fake Tinder site, say, and present someone with a fake Facebook login page and they tend to be less careful about the URLs. They are busy looking at the content of the page."

Likewise, "OAuth implementations have been found to have security flaws previously," he adds. As a result, that can create "a single point of failure that can compromise several accounts across several sites."

Pick One: Convenience, Security

Woodward says it's easy to see why social media single sign-on came to exist: Users - as well as the services attempting to maximize their users' time on their sites - wanted an easy way to pick a strong password, without having to select and manage lots of strong passwords for many different sites.

"The problem is that misunderstands the subtlety of how it works. I know it sounds like sophistry, but SSO is really about authentication to third-party services, not authorization," Woodward says. "It's an important distinction. It means there is always the risk of impersonation if the SSO service is compromised. Again, a password manager will generate and store strong passwords that are different for each service: That is the best way to authorize access to each service."

Password Managers: 'A Good Thing'

Should everyone be using password managers?

"Yes. Password managers are a good thing," says "Emma W." - potentially not her real name - at the U.K.'s National Cyber Security Center, which is part of intelligence agency GCHQ. "They give you huge advantages in a world where there are far too many passwords for anyone to remember."

They do that by allowing users to easily generate complex, unique passwords for every site they use. That way, if any one site gets breached, an attacker can't reuse a victim's username and password on other sites (see Why Are We So Stupid About Passwords? Yahoo Edition).

One caveat, of course, is that users have to remember their master password. "If you forget the master password for your password manager, you will not be able to get back in," she says. "You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt."

While users can store passwords in a browser-based password manager, using stand-alone password management software typically offers much more functionality. Emma W. says she uses both, "for different things."

When should users pick the stand-alone route?

"Compared to browser-based managers, stand-alone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they're on," Emma W. writes. "They give you a little more control over when and where you use your passwords, as you get to press a button to say 'I want to use the password please,' rather than the web page in the browser requesting one when it feels like it."

Some stand-alone password managers will also alert users if a site for which they're storing a password has been breached, thus allowing them to quickly generate a new password.

Are Cloud-Based Password Managers Safe?

Security experts advocate different approaches to password management software. Some have recommended never using any cloud-based approaches to storing passwords or facilitating single sign-on.

"I think it comes down to a question of whether you trust a service," cryptographer Matthew Green, an associate professor of computer science at Johns Hopkins University, tells me. "Facebook poured resources into protecting its login infrastructure and they blew it. An online password manager with a much smaller budget could just as easily make a mistake. I think password managers are great, I just think you should keep them offline."

Always Use a Password Manager

The choice of password manager, as with so many other security tools, remains yours.

But do use one. "Personally, I'd always use a good password manager that generates and remembers strong passwords for me," Woodward says.

Some sites and services, however, could be doing more to encourage their use. For example, some block users from copying and pasting usernames and passwords.

The NCSC has slammed such blocks. "Let them paste passwords," the NCSC's "Sacha B." writes in a blog post.

"What we do need to do is pursue site operators to allow copy and paste, so that it is much easier to use password managers," Woodward says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.