One of the biggest recent drivers to the fattening of my travel schedule is my customers’ perceived need for a social/mobile strategy. Many of them have ample reason for such a beast, in that they feel strongly that accepting authentications from, say, Facebook will increase their traffic. And it’s true, when you make it easier for somebody to just pop over from an existing online session, without making them cough up yet another id and password, makes them more likely to visit more often. And they don’t have to consult their extra text files or Post-Its to find those additional creds.
N.B. Sometimes there IS a benefit to those extra creds, however. You may want to segregate some of your identities, especially when you use them to express strong political views, or download racy pictures.
A number of organizations I’ve spoken to are pretty sure they need a social/mobile plan, but only because of peer pressure, or even managerial pressure. I sat in a meeting a number of months ago with a security chief and his boss’ boss, and that ranking manager had convened the gathering specifically to find out how we could help them with their mobile plans. I asked, simply enough, “What is your business use case?” And, whaddaya know, they didn’t have one of those. They only knew, they should be putting their stuff on mobile. “Which stuff?” I asked again. “Product? Marketing message? Contact info? Just a mobile version of your corporate landing page?”
Too many companies haven’t given this sound thought. Same thing with social. Yes, we want users to authenticate via Facebook. We just don’t know WHY.
I have precious few banks or other financial outfits asking for this. But companies that make textbooks, retailers, those kinds of people definitely are. And for them, it makes sense. But again, you need to know HOW these initiatives serve the BUSINESS. If they don’t, then it’s just noise, and wasted resources. Fine, have a nice mobile version of your homepage. You can always add some kind of ecommerce to it later. But don’t go nuts until you know WHAT PURPOSE it will serve.
Plenty of social sites have been hacked. A well-known news site was hacked a few months ago, and implanted with a phony story about an attack on the White House, causing the market to drop like a rock and wipe out, for a few hours, billions in portfolio value. Plenty of people have creds for news sites so that they can comment on articles. You may have established yourself in many places, and you may leverage those identities to get you to still other sites. And if any of those are compromised, perhaps the compromisers may then assume your identity in ways you haven’t considered.
It’s one of the arguments AGAINST single sign-on: if just that one portal credential is hacked, then every application in your SSO circle can be infiltrated. Okay, so if your Facebook account is hacked, everything you access via FB is vulnerable.
This is why we employ multi-factor, right? Oh, that’s your FB token? Cool. But which IP address are you using? Or which device?
Because of cloud and federated partnerships, we are asked to trust an increasing number of authentication sources. But we should do so only if we see the critical business need. And then we should still dictate at least some of the terms. If someone says, “Trust me,” we should reply with, “Yeah, okay, just give me a good reason.”