[OPLIN 4cast] OPLIN 4Cast #321: "Social login" authentication

Editor editor at oplin.org
Wed Feb 13 10:31:31 EST 2013 

Email not displaying correctly? View it in your browser. 
<http://www.oplin.org/4cast/>
OPLIN 4Cast

OPLIN 4Cast #321: "Social login" authentication
February 13th, 2013

social loginUnless you spend very little time on the web, you've 
probably been to sites that require you to log in, but give you the 
option of using your Facebook or Twitter (or some other) account to log 
in instead of creating (and remembering) yet another username and 
password. This "social login" option is popular with the public, but can 
create problems when the computer code running in the background is 
configured poorly. That's what happened to people on many websites for a 
short time last Thursday, when using their Facebook login on other sites 
took them to a Facebook page instead of the website they wanted. Social 
login can also lead to some security problems. So perhaps it may not be 
time (yet) to let your patrons access their library accounts using their 
social media accounts.

  * Fraud could rise if retail customers use Facebook login
    <http://www.scmagazine.com/fraud-could-rise-if-retail-customers-use-facebook-login/article/279490/>
    (SC Magazine/Danielle Walker) "'[T]he lack of identity proofing and
    weak authentication for social network identities can expose
    merchants to more fraud,' Gartner said. 'Service providers therefore
    have to defend themselves. They may allow social network
    registration, but augment the process with additional controls when
    a retail site provides access to sensitive data and monetary
    transactions.' The trend will, however, fuel higher demand of
    specialized vendors that support the use of social networking
    identities through 'open standard,' or publicly available,
    authentication systems like OpenID or OAuth, which are used by sites
    like Twitter and Facebook, [Gartner Research VP Ant] Allan said."
  * Facebook hijacks Internet sites for an hour Thursday afternoon
    <http://readwrite.com/2013/02/07/facebook-hijacks-internet-sites-for-an-hour>
    (ReadWrite/Dan Rowinski) "The Facebook connection was not just
    passively disrupting sites, as Web plugins sometimes do, but
    actively dragging users away from their destination sites to
    Facebook's own platform. Developers at Say Media, ReadWrite's parent
    company, believe that the problem was caused by Facebook Connect
    having problems with oAuth authentication that allows users to sign
    into a site using their Facebook profiles."
  * Twitter clients stay signed in with pre-breach passwords
    <http://www.theregister.co.uk/2013/02/04/twitter_oauth_apps_logged_in_with_old_passwords/>
    (The Register/Simon Sharwood) "Twitter spokesperson Jim Prosser did
    not deny that clients can continue to access the service even after
    passwords have been changed, and told /The Reg/, by email, that
    'TweetDeck and other clients use [open authentication standard]
    OAuth, so as long as you don't sign out, you don't have to re-input
    your credential every time you open the app.' Prosser has also
    pointed out that the situation described above is an OAuth token
    issue, not a password issue."
  * Google's continuing odyssey to sink passwords
    <http://www.zdnet.com/googles-continuing-odyssey-to-sink-passwords-7000010307/>
    (ZDNet/John Fontana) "What hasn't changed, however, is the Achilles
    Heel that affects Google and other consumer identity federation
    schemes - the relying party role. These are the Web sites that leave
    it up to companies like Google, Yahoo, Microsoft, Facebook and
    others to issue identities. The relying party is the one that
    accepts those credentials for authentication and must check with the
    issuer (known as the IdP) to confirm they are valid. The relying
    party problem is akin to not having any merchants (relying parties)
    that will accept your credit card."

*/Graphic fact:/*

There's a nice graphic on the Wikipedia OAuth page 
<http://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth> 
that illustrates how OAuth and OpenID work in simple terms.
------------------------------------------------------------------------
The */OPLIN 4cast/* is a weekly compilation of recent headlines, topics, 
and trends that could impact public libraries. You can subscribe to it 
in a variety of ways, such as:

  * *RSS feed.* You can receive the OPLIN 4cast via RSS feed by
    subscribing to the following URL:
    http://www.oplin.org/4cast/index.php/?feed=rss2.
  * *Live Bookmark.* If you're using the Firefox web browser, you can go
    to the 4cast website (http://www.oplin.org/4cast/) and click on the
    orange "radio wave" icon on the right side of the address bar. In
    Internet Explorer 7, click on the same icon to view or subscribe to
    the 4cast RSS feed.
  * *E-mail.* You can have the OPLIN 4cast delivered via e-mail (a'la
    OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at
    http://mail.oplin.org/mailman/listinfo/OPLIN4cast.


OPLIN 4Cast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20130213/a7d40a8a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kubrickheader.jpg
Type: image/jpeg
Size: 38379 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20130213/a7d40a8a/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: social-login.png
Type: image/png
Size: 14555 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20130213/a7d40a8a/attachment-0003.png>

More information about the OPLIN4cast mailing list