From what I'm aware of the US is currently experiencing issues
with FB, Instagram and LastPass. The latter is impacting business for
us. Coincidence? Maybe. The root cause will certainly be
interesting.
Why don't you just write all your password on big sheets of construction paper and put them on the front of the building or in the nearest Starbucks?
That way you won't have it "impacting business" and you passwords will be more secure ...
I'm going to go out on a limb and say that with all the problems inherent in
using a social media account as an authenticator, for 95% of sites it's still
more secure than if they attempted to create their own authentication system.
Having even less security expertise than Facebook, they will probably get wrong
(possibly in a subtle fashion that gets quietly exploited for years, and
possibly in a spectacular fashion that makes it on the evening news).
There's the additional factor that security is always about trade-offs - for
many sites, the dangers of using social media logins are *far* outweighed
by being able to just have a big shiny "Log in using Facebook" button instead
of making the user set up an account, pick a password, send them a verification
e-mail, then they have to read their e-mail and click on the link. Do that, and
they just left for another site. Doesn't take many people leaving for another
site before any added "security" added by doing authentication yourself is
outweighed by lost traffic.
[...]
There's the additional factor that security is always about trade-offs - for
many sites, the dangers of using social media logins are *far* outweighed
by being able to just have a big shiny "Log in using Facebook" button instead
of making the user set up an account, pick a password, send them a verification
e-mail, then they have to read their e-mail and click on the link. Do that, and
they just left for another site. Doesn't take many people leaving for another
site before any added "security" added by doing authentication yourself is
outweighed by lost traffic.
What is better for the site could be diametrically opposed to what is
good for the end user. (Yet another trade-off.)
Personally, the process of setting up a separate account for
each site is a hoop I require before I will sign up for/with a service.
I don't *CARE* if the individual site is compromised, as long as my
other logins are disconnected from it completely. (For me, that means
separate usernames and password pairs for each site.)
I suspect there is a choir here to which I am preaching...
[snip good analysis]
However, there can be little doubt at this point that all major social
media sites have long since been thorougly compromised. Of course
they have: the attacker budget for doing so is enormous, easily
enough to bring to bear advanced cryptanalysis techniques, judicious
deployment of exploits including home-grown 0-days, and the assistance of
willingly/unwillingly co-opted insiders. Meanwhile, the defenders have
shown themselves to be stunningly inept and have accrued a long-term
track record of massive data breaches almost too numerous to catalog.
(And those are just the ones we know about to date. Surely there are
more waiting in the wings.) This isn't really surprising: after all, it's
not *their* data, so why should they invest time and money in securing it?
Sadly, your point about the difficulty of creating homegrown authentication
systems is also accurate. Therefore: we're just screwed.
---rsk
---rsk
My concern against using FB for authentication is this: Does using FB login give the site read access to my profile, friends, etc? My profile is set to private to keep advertisers at bay. In the early years Facebook warned users that clicking on an external link would grant such access.
matthew