Industry News: Facebook Security and Password Management Software
I have talked at length in this blog about following password management best practices: employing a password management software solution that allows for password auditing, automated password reset, role based access control, multi factor authentication, and single sign on as the ideal solution to your password management problems. However, a sound password management policy starts with the basics: using different passwords for each of your logins composed of various characters, numbers, and letters.
We all know how complicated this can get. You might have logins to 30 different sites that you actively use: Facebook, Twitter, LinkedIn, Gmail, Google Plus, Outlook, SaaS applications, Basecamp, Pandora, and the list goes on and on. Having a complex, unique password for each can quickly become extraordinarily complicated. This is precisely why your users and employees are using the same, easy-to-remember passwords across many sites.
Today, I was reading on my lunch break, and came across this post: http://www.wired.com/wiredenterprise/2013/10/facebook-yubikey/
The article reports that Facebook, like Google, is internally testing the ability of Yubikeys to deliver more secure access to critical systems, for their employees and beyond.
Seeing this reminded me of the dreaded Facebook Connect. You’ve undoubtedly seen this feature; it’s the feature that allows you to log into many sites using your Facebook credentials simply by clicking the “login with Facebook” button. How many sites can you log into using this technology? According to an analytical tool named LeadLedger, around 16 percent of all websites support Facebook Connect. Let that sink in for a moment.
If the wrong party were to get access to your employees’ Facebook credentials, they would have access to an untold number of sites at the press of a button. If your employee happens to be reusing a Facebook password, this number could be even higher. Which of these are critical sites that affect either your customers or your company? If someone were to get the Facebook password of one of your employees, could they gain access to customer data in Salesforce? What about important files in Dropbox and Google Drive, or confidential emails in Office365? This is a password risk that, in my opinion, is pretty hard to stomach.
So, what exactly can you do about this risk? At the bare minimum, all of your employees should be educated on, and required to use, Facebook’s “Login Approvals” security feature. This is a feature that has been available since 2011, and yet many people do not use it. But they should—it employs two-factor authentication. When someone tries to sign in from an unrecognized source (an unrecognized browser, computer, or mobile device), they will be required to provide an extra piece of information: a one-time code sent to the Facebook account holder’s registered mobile phone. The person attempting to gain access must know the account credentials and have access to the mobile phone. This fulfills the two factor authentication requirements of requiring a user to input “something they know” (login credentials) and “something they have” (a mobile phone and one-time code).
However, simply using Facebook’s Login Approvals isn’t enough. If you’ve followed our advice previously, you have probably already implemented a strong password policy meant to reduce your password risks. These password policies likely require difficult passwords and frequent changing. This type of policy is certainly safer, but more complicated; thus, many of your employees may not be following the policy in such a way that maintains the security of your systems. Believe it or not, there is a way to make your systems both more secure and easier to access. How?
Take password security out of the hands of your employees altogether. If you employ a password management software solution that provides multi factor authentication and single sign on, your employees would never even need to create and remember passwords. All of their systems would be securely accessed through a single sign on portal that they must access using multi factor authentication. Gone would be the days of reusing Facebook passwords as their Dropbox or Office365 passwords. If you want to insure the safety of your systems, and limit the risks of a password breach (e.g. big fines, loss of critical data, decreasing customer confidence), you need to be using password management software.