Social networking needs identity delegation strategies

Social networking needs identity delegation strategies

Summary: Ever since Facebook opened its platform to outside developers, thousands of applications have been built on top of Facebook. Some have tens of thousands of users and have become part of the everyday experience for many Facebook customers.


Ever since Facebook opened its platform to outside developers, thousands of applications have been built on top of Facebook. Some have tens of thousands of users and have become part of the everyday experience for many Facebook customers. The viral nature of Facebook means that well designed applications spread like wildfire.

Many of these applications ask users to enter their credentials for some other service so that they can provide a Facebook interface. Unfortunately, users are all too willing to do that if the application offers even a small benefit. Often these applications use the user's credentials to find the email addresses for the user's associates in the service and invites them to start using it.

Suppose, for example, that someone wrote a PeopleSoft application for Facebook (maybe someone already has) that worked through user credentials. When you set it up, it asks for your username and password in PeopleSoft and then authenticates as you and starts digging around. You get a nice dashboard widget of your PeopleSoft data on Facebook, the app gets a ton of data.

In an age where more and more organizations are deploying single sign-on solutions across the enterprise this is downright dangerous. The credentials you give might be the key to everything including your 401K account and direct deposit access on the employee portal. Yipes!

You don't think your employees would do this? After all, it's against policy isn't it? Think again. I found in some non-scientific surveying that people don't equate typing their login credentials into a Facebook application with giving them to a co-worker or friend. You may want to clarify that before the trouble starts.

And yet, in the end, allowing mashing up enterprise applications with other systems, even ones outside the firewall, gives organizations competitive advantage. If nothing else, it means you don't have to build everything and your employees get the benefit of seeing data and information the way they want to. You may not ever want them doing that with PeopleSoft, of course, but there are cases where it makes sense.

Not convinced? Let me give you another type of scenario: more and more organizations are going to online paystubs. You access them with your corporate authentication credentials. Suppose an employee's spouse is the one who does the bills. Do you really think that your employees won't share login credentials with their spouse so that they can access the online paystubs? Don't be naive.

Letting employees and customers share access appropriately without giving them incentives to give away the keys to the kingdom requires better ways of delegating access than sharing passwords. Delegation should be an anticipated interaction model in network applications that we design and build. Unfortunately, many organizations are struggling just to get single sign-on working let alone designing a complicated delegation system into everything. Sit down for a minute and try to design a reasonable, easy-to-use, secure delegation pattern for one application and you'll see how complicated this can be. Got an interesting solution to this problem? I'd love to hear it.

Topics: Security, CXO, Networking, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Have a solution...

    Okay, THE solution.
    Already solved it. We've implemented a system at a single client that solves this, and many other problems that IdM solutions just dont solve, or even attempt to solve. But should...
    Anyway, we're working now on generalizing the application for general marketability - I'll let you know when we hit the market (or you'll know anyway... ;-) )
    'Course, if you can arrange an investment, it would go much quicker... :-)
  • RE: Social networking needs identity delegation strategies

    Email authentication and encryption to PKI standards offers a scalable solution. The associated digital signatures map to an individual's email address which can only be shared with someone using the same email cient or a client that has been configured with correctly exported digital certificates. The signing certificates can be presented to authenticate users to any online application. Vendors like Comodo and ConSealMAIL offer afffordable, convenient solutions for individual and business users.