Social networking a magnet for single sign-on?

Popularity of social networking sites makes such platforms plausible conduit for one-stop log-in, but security and trust issues stand in way, experts say.
Written by Vivian Yeo, Contributor

The popularity and reach of social networking platforms make these sites a practical conduit for single sign-on (SSO) or universal log-in on the Web, but issues such as trust and security are preventing companies from adapting this model.

The promise of SSO has been around for several years, where there are now various standards around the technology and limited implementations--though, a truly universal log-in has yet to emerge on the Web.

Regardless, interest in SSO continues to grow and the technology has also matured in the last three years, industry players told ZDNet Asia.

Jeffery Kok, strategic solutions consultant at EMC's security arm RSA, said in an e-mail interview that SSO in the enterprise realm has become a mature foundation technology.

"We have observed greater interest and uptake of server and Web-based SSO solutions in large enterprises, as well as the healthcare and financial services sectors," Kok said.

Gay Chi Sen, Tivoli security leader for IBM's Southeast Asia software group, concurred.

In an e-mail, he noted that early versions of SSO technology required changes to be made on the application, while more recent technologies "hook onto the OS layer" to observe events, automating the sign-on as required.

"There [have been] some very large deployments supporting single sign-on for a very wide range of applications," Gay said. "In many enterprise environments today it is not possible to deploy new applications without certifying them with the SSO solution of choice."

He added that federation technologies such as SAML (Security Assertion Markup Language), have also gained more acceptance in recent years. "With wider acceptance come easier and more scalable integrations, including integration with hosted services," he said.

SSO in social, cloud landscape
More recently, the rise of cloud computing and social media has impacted the SSO market, according to JanRain, a turnkey provider of digital IDs that helped found the OpenID Foundation.

The company's CEO Brian Kissel said in an e-mail interview that the cloud computing model is "ideal for the SSO landscape" due to the dynamic nature of the market.

"New identity providers are entering the market and existing providers are constantly updating their APIs (application programming interfaces) and rolling out new features," Kissel noted.

The impact of social media, on the other hand, is also significant as most consumers have an account with at least one of the several major social networking platforms, he said.

By being a member, each user already has a username, password and profile that he is comfortable using across the Web, he noted, adding that Twitter, for example, is now a "preferred log-in choice" for many users.

Patrick Chan, chief technology advisor for emerging technologies at IDC Asia-Pacific's practice group, said some cloud vendors would want to address that common authentication platform for end-users, but these objectives are still subject to trust and security considerations.

"We do see the possibilities and emergences of cloud software and services bringing that trusted common authentication platform to users in the future but not in the near term," Chan said in an e-mail.

Ease of use is also a key driver, RSA's Kok said, explaining that consumers' desire for ease of interaction between social media and cloud computing services has become the "single biggest business driver" for the adoption of SSO technologies such as OpenID.

"Both identity providers such as Google and Yahoo, and content providers such as Facebook and MySpace quickly adopted consumer SSO technologies like OpenID to provide seamless login between identity providers and content providers," he noted. "This critical competitive edge of usability increases traffic and thus revenue to both identity providers and content providers."

However, he noted that SSO offerings that provide automated authentication to all trusted sites can become high-value phishing targets. He said SSO providers that rely on passwords or single-factor authentication are at greater risk.

Microsoft's senior product manager Joel Sider said in the age of cloud computing, enterprises want to use their previous investments in identity infrastructure to facilitate secure, simple access to cloud applications, while individuals seek to be safe from identity theft and loss of privacy.

"Cryptographic technologies that protect privacy and prevent fraud through the technique of 'minimal disclosure' will be of great importance as we move forward with digital identity and SSO, particularly for consumer and e-government scenarios," Sider said, citing Microsoft's U-Prove technology announced at the RSA Conference in March, as an example.

Still, he noted that it was unlikely that a single digital credential will exist.

"In the physical world alone, we will continue to have multiple digital credentials to assert who we are and to grant us the associated privileges.

"Different credentials, identity providers and verifying parties will play a role, depending on the situation and need," Sider explained. "The key is ensuring interoperability and simplicity within the various platforms."

Editorial standards