I was thinking recently about social logins in the contect of enterprise mobile computing. There is a growing interest at least amoong consumers to be able to use enterprise mobile applications on devices based on social login information. The argument goes that if you are already signed in with your Google or Twitter or Facebook ID, then your identity is already known so why do you have to log in again when you want to use a corporate application?
mBrokers or other forms of enterprise gateways can do mapping from social logins to the relevant corporate permissions, so at one level this seems fine. When user Joan Smith is logged in on Google and starts to use an enterprise application, the mBroker picks up the request and can bridge to the required security authority for secure corporate usage. In addition, from the user point of view the login is multi-channel which means the same login will survive across different channels such as web browser, mobile etc..
However there are at least two serious issues that need to be borne in mind. The first is that most consumers like to leave themselves logged in to avoid having to keep re-entering the password. The dreaded ‘remember me’ box ensures that cookies keep you logged in to the different services you are using. This might be a limited exposure on a workstation, or even a laptopn which is often only mobile in terms of being used at home or in hotels, but mobile devices such as smartphones and iPads are much more mobile and may be accidentally left for someone else to use or more likely taken by another party. This immediately opens up security wholes for the corporate application. The second is that in terms of hacking, while a corporate login mechamism may require knowledge of the particular web addresses or networks / userids to attempt unauthorized logins, services like twitter and WordPress are a totally different matter. It is commonly known that if you run a WordPress-hosted website, for example, you must choose very secure and complex administration IDs and passwordsif you don’t want to be hacked by someone with a password generator and loads of time on their hands. Twitter is another area where anyone anywhere in the world can make a concerted effort to hack your ID.
While it may be argued that these problems are not limited to social logins, the issues seem to be worse than for corporate log-in systems. So anyone thinking of allowing social logins for enterprise application access might want to think long and hard, perhaps even (heaven forbod) pushing back and telling users ‘NO’ !