Pragmatic Approach, Practical Designs, Secure Implementations

Social network platforms like Facebook, Twitter, Google, Yahoo, Windows Live, and LinkedIn have proven to simplify consumer login to ecommerce and informational portals and to promote the use of online services while significantly increasing customer satisfaction.

 

Multiple recent industry studies have shown conclusive evidence that ability to use social network identity can increase user engagement by as much as 80% while retaining all the benefits associated with existing customer accounts. Social networks can be leveraged not only for authentication services used by existing customers, but also for initial registration where a lot of relevant and verified user information like name and email address can be transferred directly from social networks if proper authorization is granted by a user.

Customer and partner web applications are perfect opportunities to integrate with social network platforms for authentication and data sharing including access from mobile platforms. Social identity alone cannot be used as a customer identity, but needs to be integrated/linked into existing identity and access management architecture.

In order to provide secure integration with social network platform following principles should be followed:

  1. Enterprise applications containing non-public information must have its own user identities, i.e. social network userID and password alone cannot be used for non-public information protection.
  2. Integration with social network authentication and authorization services can be used for access to non-public information only after successful account association where user provides a knowledge of password of application account.
  3. Social network can be used for initial user registration.
  4. Enterprise applications or access management frameworks can store social network UserID and security tokens, but not passwords.
  5. Enterprise applications must provide user functionality to remove association with social network platforms.
  6. It should be made clear to the user, that after successful account association, social network security credentials will provide access to enterprise  application and should be kept secure.
  7. Only single user account from each social network platform can be used for account association with enterprise application at any given time.
  8. Client based security credentials including session tokens must be validated with token issuing authority before being accepted by enterprise application.
  9. Multiple enterprise applications with unique set of permissions for each social network platform should be allowed.

The other significant benefit of using social networks for user authentication via OAUTH protocol is an ability to protect access to required backend business systems with identity used by user to to authenticate to application. This approach will allow applications to access necessary user attributes and other relevant information with end-to-end traceability and single sign-on.