Using social media for authentication: 3 pitfalls to avoid

At a software development conference some time ago, I found myself standing in a small circle of software experts, who many would consider titans of their fields.  I was introduced by a colleague as the “unknown expert.” Suddenly it became apparent how integral a social media presence had become and how much of a missed opportunity it was for me to not pursue.

You see, I’m one of those people who found the whole social media revolution a bit unnerving, and from the very beginning, I decided that I was going to keep my personal and professional life out of the public eye.  I had the required social presence on sites like LinkedIn, but never took the plunge with a Facebook page or Twitter handle. And until recently, I had never even written a blog.  I’d always thought that posting about my friends and family would open us all up to unnecessary risks.  I turned out to not be entirely wrong. There have been horror stories of families posting about their vacation on social media only to return to ransacked homes, and of people being stalked online and harassed into hiding. 

While I recognize my thoughts against my personal engagement in social media are a little old-school, I do understand that the companies I work with need to leverage social media for business growth and visibility, as well as granting authentication into their systems for identity and access management purposes.

Given this need, let’s take a quick look at three risks involved with using social networks and how to safely leverage these platforms.

Social engineering

Social engineering is a topic you should be familiar with, as it has become a popular cybersecurity attack method. It is when an attacker convinces the victim that their conversation (whether by phone, text, email or some other means) is legitimate and that the victim needs to share access or divulge their online privileged account information in order to solve a problem. For criminals engaging in this type of attack, social media offers a goldmine of useful information.

Think of the questions you’ve been asked to answer security prompts. Questions like what high school did you go to, or what is your dog’s name. Do you think that most of them can be answered with the most basic data collected from your social media?

Don’t get me wrong, I think that asking personal questions to help make sure you are providing system access to the right person is a good step in the process of identity-proofing your user … just not if that data is easily found social media or are references anyone could look up.

Fake accounts

You need to realize that there simply isn’t a way to prove exactly who is actually logging in. Sure, the account looks legitimate, but it would only take an attacker a few minutes to create a fake account with the real user’s name and picture.  Because of the simplicity of counterfeiting a social account, you must always combine this with a second form of authentication.

Consider account provisioning as being in two phases. In the first phase, the user creates their account, and in the second phase the user can link other social accounts to the original one they’ve already created.  This process asks that anytime you see a new social account login, you must first pair it with an existing, already proven, account.  I have set this up with my customers so that it forces a user with a new social authentication attempt to login to their already existing default account and prove they are the owner. In essence, we’re linking the two accounts together and providing a second form of authentication through social media.  Only after that is done will you allow a user to continue to authenticate using social login.

Lax authentication

Remember that some social sites have very lax rules for enforcing their authentication process.  For instance, most of those sites allow for cookie-based authentication, where you don’t need to login if you already have a valid session.  An attacker who accessed a user’s laptop could navigate to your site to login and be redirected to the social login site where they are authenticated automatically using existing session cookies. In this scenario, the attacker essentially logged into your site without ever being asked for credentials.  While some social sites are starting to leverage MFA, you can’t just hope that the user has authenticated using any actual trustworthy step.

The bottom line

Consider for a moment that a huge number of the users you are working to protect, not only use social media but also prefer to use their social media accounts for authentication. This is a very popular validation method for companies dealing directly with their customers, as well as big universities where the younger generations use of social networks is practically ubiquitous.  If you do decide to leverage social media for authentication, remember that it’s best to be over-cautious about what information users may be making visible on their profiles and how easy they may be making it to hack into their accounts.

On a personal level, always be mindful of posting data online that could put you or your family in danger, and consider using fake information for authentication questions when securing your identity. 

This doesn’t mean we should discount the technology completely.  Using social media for authentication will be more and more popular as time goes on.  But you should always treat a social login with skepticism and make sure you have a proper process in place to validate users.