Trulia recently announced that members will be able to log in to their Trulia accounts using their Facebook login credentials. I think this may serve as a wake up call in the real estate industry about the power of Facebook integration – even though its use has doubled over the past six months and has already been implemented on over 2 million other sites – including the DISQUS engine that powers the Clareity Security blog comment system. What a great convenience, to not have to create a new account on each site you visit. But is it good security?
Everyone knows that it’s a security best practice to have different passwords for different web sites – so that if someone compromises one of your logins they can’t access every other site where you use that login. That’s why, when my phone company’s database was compromised, including my password for that site, they contacted me to let me know that, not only were credentials stolen, but there were signs that other customer credentials were being used to access various travel and shopping sites to make purchases – and mentioned the possibility that those login credentials might be used to access bank accounts. My phone company knows that people use the same credentials on other websites. And the more sites on which one set of login credentials can be used when compromised, the greater the level of impact risk associated with those credentials.
So, how trustworthy is Facebook to manage the credentials?
I took a really informal quick poll of 29 Facebook friends:
Do you know anyone who has had their Facebook account compromised?
Do you trust Facebook to manage your logins for other web sites?
|I have a high level of trust||6%|
|I have a moderate level of trust||31%|
|I have little trust||41%|
|I have no trust||20%|
68% knew someone whose account had been compromised and 61% had little or no trust for Facebook to manage their credentials. I have a pretty good idea of what would happen to those numbers if there were more stories like this one from last year: Russian Hacker Selling 1.5 Million Facebook Accounts and 100M Facebook Profiles Now Available For Download. I expect there will be more such stories, but everyone is going to make a different choice between security and convenience.
For myself, if someone captured my Facebook login credentials – due to a security issue with Facebook or with a computer I was using while logging into Facebook, or due to a Connected site, or a phishing site that only appeared to be using Facebook Connect – I wouldn’t want them to be able to access my bank – or anything connected with my livelihood. Initially, my thinking was that if it was for something harmless, like blog comments, I wouldn’t mind using Facebook Connect. But then I started thinking, online reputation is becoming more precious, and my reputation is of key importantance to my livelihood, just as it is for other professionals in the real estate industry. So, if someone gains access to my Facebook account and posts terrible things to millions of connected sites, it would take a lot of work to clean up my reputation. So, the question of sites we should trust Facebook to manage logins for may be more complicated than whether a site might allow the hacker to engage in financial transactions on my behalf.
This isn’t just a question about how much one trusts Facebook or connected sites – Google, Yahoo!, Twitter, Microsoft, LinkedIn, and many others have similar functionality. I have no doubt that this subject (technically “federated identity”) will be one that will become increasingly visible over the next few years, as more organizations vie to become the keeper of the keys to your online kingdom and the battle heats up among the leaders.
Share this post: