At a software development conference some time ago, I found myself standing in a small circle of software experts, who many would consider titans of their fields.\u00a0 I was introduced by a colleague as the \u201cunknown expert.\u201d Suddenly it became apparent how integral a social media presence had become and how much of a missed opportunity it was for me to not pursue.You see, I\u2019m one of those people who found the whole social media revolution a bit unnerving, and from the very beginning, I decided that I was going to keep my personal and professional life out of the public eye.\u00a0 I had the required social presence on sites like LinkedIn, but never took the plunge with a Facebook page or Twitter handle. And until recently, I had never even written a blog.\u00a0 I\u2019d always thought that posting about my friends and family would open us all up to unnecessary risks.\u00a0 I turned out to not be entirely wrong. There have been horror stories of families posting about their vacation on social media only to return to ransacked homes, and of people being stalked online and harassed into hiding.\u00a0While I recognize my thoughts against my personal engagement in social media are a little old-school, I do understand that the companies I work with need to leverage social media for business growth and visibility, as well as granting authentication into their systems for identity and access management purposes.Given this need, let's take a quick look at three risks involved with using social networks and how to safely leverage these platforms.Social engineeringSocial engineering is a topic you should be familiar with, as it has become a popular cybersecurity attack method. It is when an attacker convinces the victim that their conversation (whether by phone, text, email or some other means) is legitimate and that the victim needs to share access or divulge their online privileged account information in order to solve a problem. For criminals engaging in this type of attack, social media offers a goldmine of useful information.Think of the questions you\u2019ve been asked to answer security prompts. Questions like what high school did you go to, or what is your dog\u2019s name. Do you think that most of them can be answered with the most basic data collected from your social media?Don\u2019t get me wrong, I think that asking personal questions to help make sure you are providing system access to the right person is a good step in the process of identity-proofing your user \u2026 just not if that data is easily found social media or are references anyone could look up.Fake accountsYou need to realize that there simply isn\u2019t a way to prove exactly who is actually logging in.\u00a0Sure, the account looks legitimate, but it would only take an attacker a few minutes to create a fake account with the real user's name and picture.\u00a0 Because of the simplicity of counterfeiting a social account, you must always combine this with a second form of authentication.Consider account provisioning as being in two phases. In the first phase, the user creates their account, and in the second phase the user can link other social accounts to the original one they\u2019ve already created.\u00a0 This process asks that anytime you see a new social account login, you must first pair it with an existing, already proven, account.\u00a0 I have set this up with my customers so that it forces a user with a new social authentication attempt to login to their already existing default account and prove they are the owner. In essence, we\u2019re linking the two accounts together and providing a second form of authentication through social media.\u00a0 Only after that is done will you allow a user to continue to authenticate using social login.Lax authenticationRemember that some social sites have very lax rules for enforcing their authentication process.\u00a0 For instance, most of those sites allow for cookie-based authentication, where you don\u2019t need to login if you already have a valid session.\u00a0 An attacker who accessed a user\u2019s laptop could navigate to your site to login and be redirected to the social login site where they are authenticated automatically using existing session cookies. In this scenario, the attacker essentially logged into your site without ever being asked for credentials.\u00a0 While some social sites are starting to leverage MFA, you can't just hope that the user has authenticated using any actual trustworthy step.The bottom lineConsider for a moment that a huge number of the users you are working to protect, not only use social media but also prefer to use their social media accounts for authentication. This is a very popular validation method for companies dealing directly with their customers, as well as big universities where the younger generations use of social networks is practically ubiquitous.\u00a0 If you do decide to leverage social media for authentication, remember that it\u2019s best to be over-cautious about what information users may be making visible on their profiles and how easy they may be making it to hack into their accounts.On a personal level, always be mindful of posting data online that could put you or your family in danger, and consider using fake information for authentication questions when securing your identity.\u00a0This doesn't mean we should discount the technology completely.\u00a0 Using social media for authentication will be more and more popular as time goes on.\u00a0 But you should always treat a social login with skepticism and make sure you have a proper process in place to validate users.