Facebook could become an enterprise ID system

Facebook could become an enterprise ID system

Summary: Gartner analyst Earl Perkins noted that identities on the Web may be managed by Facebook even in enterprise IT.


In many enterprise technology corners, Facebook is seen as a security threat, but it may be time for a rethink. After all, Facebook could become your identity management system.

A trio of Gartner analysts talked about security threats for 2013 and the usual suspects were presented: Mobile and targeted attacks are on the radar. However, there was a more notable eyebrow raiser: Identity management providers in the cloud will be halved or acquired by 2015.

What if Facebook became your identity management provider?

Sounds like heresy to some degree, but Gartner analyst Earl Perkins noted that identities on the Web may be managed by Facebook. In retail, Facebook may be the ID gatekeeper. Perkins said that there's a socialization of identities and by the end of 2015, 30 percent of all new retail customer IDs will be based on social media. "There are elements in the social media infrastructure that can be leveraged to bring into the enterprise and do more with to conduct business," said Perkins.

In other words, the login with Facebook ID button will go corporate. Perkins cautioned that there will be serious obstacles to making social media IDs enterprise ready, but it's quite possible.

The arguments for Facebook as a retail enterprise ID system go like this:

  • For many users, social networks are the Internet.
  • Using a Facebook login would lower customer friction.
  • Social identities mean fewer abandoned registrations.
  • Lower costs.

However, there are arguments against using Facebook as an ID gatekeeper. The argument against Facebook as an ID system goes like this:

  • ID fraud is rampant. 
  • User authentication is weak. 
  • Customization will slow adoption. 
  • And there are liability concerns.

Despite those issues, the reality is that identities are going social. It remains to be seen if social equates to industrial strength.


Topics: Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And the point of Internet-based IDs for the workforce is what?

    Using Facebook, or any other social media content provider, as the solution for "verifying" that the people logging into your enterprise systems are the actual employees they claim to be only makes sense [b]if the same social media content provider is also providing the enterprise software the employees use to perform their work.[/b]

    Obviously, if I want to post something on Facebook, or (God forbid) I want to use an app on Facebook, then yeah, it makes sense for me to log into Facebook. But if I'm checking my Yahoo! email, for example, I don't use my Facebook login. Number 1, I already [b]have[/b] a login for my email, so a Facebook ID provides no "added convenience". Number 2, just because I find something in my email that might be interesting to pass on to my friends, doesn't mean I want it automatically broadcasted on Facebook; if I want to share it with friends -- or even only share it with specific friends -- I am more than capable of using the "Forward" or "Reply" buttons in Yahoo! Mail to share the info. And Number 3, my Yahoo! email -- and my Facebook activities -- are my [b]personal[/b] life, and should [b]never[/b] be "integrated" with my work life.

    Besides, most employers usually provide you with a work ID that doubles as your username and your work-provided email address, and a majority of websites anymore require you to use an email address as your username, so it's not that hard to manage multiple IDs for logging into different sites & systems. If anything, the problems usually arise when a site or provider implements password expiration requirements instead of higher levels of password strength (i.e. thinking that making you change your password every 60-90 days somehow provides "stronger" protection than instigating "strong password" protocols in the first place).
  • I would never trust Facebook to hold any of my information

    >> Gartner analyst Earl Perkins noted that identities on the Web may be managed by Facebook.

    The more you understand how technology works the less you trust groups like Facebook. Especially to be some sort of trusted repository.
  • Not Everyone Uses Facebook

    I for one still see no compelling reason, or real temptation, to join Facebook. Quite aside from all the probably quite well-founded concerns about security, privacy, etc. This kind of thinking presumes that everyone already participates.

    For that matter, what happens to the business when Facebook is replaced by the next fad, as will inevitably happen? (Remember "The Well"?)
  • What an idea!

    A company whose entire business model is based on exposing your personal data - who has repeatedly changed their policies and settings so as to make it more difficult for users to hide their personal data - who only makes efforts to protect user data when they are forced to :

    use them as an identity service?

    And while we're at it we can get our antivirus software from a Russian cyber-crime family.

    I'm not saying that Facebook is cyber-crime, but a proper identity service THEY ARE NOT!
  • No

    This wouldn't be smart.

    You would be introducing a single point of failure for many services.

    If the Facebook account is compromised so is everything that uses it for authentication.

    Do you trust Facebook to not "accidentally" go through your data outside of Facebook and and do whatever with it. Kind of like how Facebook updates made everything you made private public in the past. Also, what is the potential risk with Facebook apps and your other services?

    Is this different than using the same username and password for all of your accounts?

    I do agree some type of unified login would be nice. Too many usernames and passwords for all of my accounts. Maybe an authentication device like what they have with trading accounts and battle.net would be sufficient.
  • Absolutely not...

    Facebook has become way too big, way too powerful, and way too far-reaching. No private company should ever be allowed to wield so much power and influence......especially if that company is run by a narcissistic 27-year-old with (arguably) an improperly-calibrated ethical compass.

    Facebook is not properly set up to be an identity provider. Their security "model" is simply way too loose. Obviously I wouldn't expect someone like Zuckerberg to have a deep understanding of theoretical cryptography - but surely he could hire someone who does - if he cared about such things (which he doesn't). Allowing them to be a provider would not only be a security risk, but would also feed Zuckerberg's delusions of world dominion.

    Even more to the point, using Facebook for ID blurs the line between one's personal and business life, and increases the likelihood of employers learning things about employees' personal lives that are none of their (the employers') business. Should FB users be forced to restrict their social expressions? Should FB users be afraid of what they write in their status updates, or of being tagged in a friend's party photo, or of what targeted ads appear on their pages......lest their boss be offended? I would think not - at least not in an ideal society. People should be able to live out their personal lives away from the eyes of their corporate masters.
  • Don't mix business with pleasure

    If Facebook is positioning to become another Identity Issuer, let's ask what it is that enterprises really need to know about their staff, customers, partners and so on -- and whether Facebook with its x-ray vision into our *personal* lives has anything to offer enterprises. If we work out what the assertions might be, how would Facebook underwrite them exactly?

    And I mean *exactly* -- because liability is what kills off most identity federations. The idea of re-using identity across contexts is easier said than done. Banks have tried and tried again to federate identities amongst themselves. The Australian experience of Trust Centre and MAMBO) has been that banks find it too complex to re-use each others' issued IDs because of the legal complexity, even when they're all operating under the same laws and regs. So how on earth will business make the jump to using Facebook as an IdP when they have yet to figure out banks as IdP?

    The old saw don't "Mix Business And Pleasure" turns out to predict the cyber world challenges of bringing social identities and enterprise (and business) identities together. I have concluded that identity is metaphorical. Each identity is really a proxy for a relationship, and most of our intuitions about identity need to be reframed in terms of relationships. These are not simply names! The types of relationship we entertain socially (and are free to curate for ourselves) are fundamentally irreconcilable with the identities provided to us by businesses as a way to manage their risks, as is their perogative.
    See http://lockstep.com.au/blog/2012/09/28/identity-is-not-a-thing