Single-Sign-On (SSO) and the Cost of Convenience
Yesterday, Facebook announced they’ve been breached in a major incident, with a backstory that leads to some changes they made in 2017.
Criminals used 3 distinct bugs in an elegant symphony to steal access tokens, which allow said criminals to access not just users’ Facebook accounts but any account they’ve ever connected to using their Facebook login information.
Facebook first reported 50M users were affected. Then, almost immediately after, they said it was probably more like 90M, even as the investigation was just getting under way. I’d laugh but it’s not funny.
Not to get too far into the boring technical stuff, the incident stems from vulnerabilities that have existed since 2017 (edit: Slate posted more details in an update on 10/1/2018), related to combining weaknesses in some features Facebook users often use.
In a nutshell, if you use Facebook there are suggestions, good practices that can protect you from future attacks, but none of them can help you after what just happened. The truth is, when you choose to use Facebook, your ability to do anything to prevent long-term damage is limited. Using the platform means trusting Facebook to protect your lost data and make sure it doesn’t happen again.
In other words, you’ve already given up control over such things.
Using Facebook to login to countless other sites and services, from Etsy to Instagram to LinkedIn to _insert-some-site-you-use-everyday-here_ seems like a good idea, an astoundingly simple and friendly way for people to use their Facebook account to access everything without creating a login for each and every one or remembering a bazillion passwords.
It’s great for Facebook, too, because they want to track all of their users’ behavior both on the platform and outside of it. Trouble is, there’s no easy way to manage how many sites or services a person has allowed Facebook access to as they add up quickly. After this latest attack, new tools will no doubt emerge to help mitigate this in the future but, for now, good practices are still worth reiterating.
What else do we need to know?
Most people report having no idea whether they have or haven’t used their Facebook account to log into other sites and services across the Web.
- To verify for yourself: in your Facebook account:
- go to “Apps and websites“
- Then choose “Logged in using Facebook“
- Remove ALL entries in the list
What about your Facebook account?
- Consider not using your Facebook account to log into other sites or services anymore.
- You can use a password manager to help create and manage individual logins for sites and services, rather than logging into everything using your Facebook account.
- Log yourself out of your Facebook account via the “Security and login” section in “Settings“.
- This is where to find a list of all the places your Facebook account has been used to log into other places and where there is an option to log out of all of them. It’s a good idea to do that.
- Enable 2-factor authentication (2FA) in Facebook. Here are some friendly instructions on how to do that. Do that now, too, if you haven’t already.
Honesty in Reporting
Solutions-focused types are only beginning to wrap their minds around why this is a big deal and what constructive outcomes we can hope for. We can expect some new tools to allow Facebook’s and other federated login architectures to force logout of other sites and services. Meanwhile, everyday people will likely not ever understand the scope of this.
Privacy and security still matter. It’s hard to have one without the other. The best we can do before, during, or after attacks on them, is make good choices even if those choices are a little less convenient.