{"id":783,"date":"2009-10-06T10:42:01","date_gmt":"2009-10-06T08:42:01","guid":{"rendered":"http:\/\/www.ofcourseimright.com\/?p=783"},"modified":"2009-10-06T10:42:01","modified_gmt":"2009-10-06T08:42:01","slug":"can-the-industry-stop-break-ins-on-facebook","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=783","title":{"rendered":"Can The Industry Stop break-ins on Facebook?"},"content":{"rendered":"

\"Facebook\"After my last post, a reasonable question is whether we in the industry have been goofing off on the job.\u00a0 After all, how could it be that someone got their account broken into?\u00a0 Everyone knows that passwords are a weak form of authentication.\u00a0 Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA<\/a> one time password tokens or perhaps Smart Cards<\/a>.\u00a0 So why are the rules different for Facebook?<\/p>\n

They would say, I’m sure, that they do not hold the keys to your financial data.\u00a0 Only that may not be true.\u00a0 Have you entered credit card details into Facebook?\u00a0 Then in that case maybe they do<\/strong> hold the keys to your financial data.\u00a0 Even if you haven’t entered any financial data into Facebook?\u00a0 Are you using the same password for Facebook that you are for your financial institution?\u00a0 Many people are, and that is the problem.<\/p>\n

Passwords have become, for want of a better term, an attractive nuisance.\u00a0 It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket.\u00a0 Yes, the problem is getting worse, not better.\u00a0 My favorite example is the latest update to the Wall Street Journal iPhone app<\/a>, where the upgrade description says, \u201cApplication Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login\u201d.\u00a0 What a lovely enhancement.\u00a0 Right up there with enhancing the keyboard I am typing on to give me electric shocks.<\/p>\n

Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal<\/a>).\u00a0 Still, it probably works for you if you are a Google<\/a>, Yahoo!<\/a>, or MySpace<\/a> user, but for better or worse those sites themselves do not accept OpenID.\u00a0 (The better<\/em> part is that no one can simply break into one account and gain access to all of these other sites.\u00a0 The worse<\/em> part is that if you have some other OpenID, you can’t use it with these sites.)<\/p>\n

OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user.\u00a0 This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide.\u00a0 Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).<\/p>\n

SAML and Higgins to the rescue?\u00a0 OAUTH?\u00a0 Blech.<\/p>\n","protected":false},"excerpt":{"rendered":"

After my last post, a reasonable question is whether we in the industry have been goofing off on the job.\u00a0 After all, how could it be that someone got their account broken into?\u00a0 Everyone knows that passwords are a weak form of authentication.\u00a0 Most enterprises won’t allow it for employee access, and we would string … Continue reading “Can The Industry Stop break-ins on Facebook?”<\/span><\/a><\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,87,11,9],"tags":[222,274,272,276,170,271,273,496,275],"class_list":["post-783","post","type-post","status-publish","format-standard","hentry","category-complexity","category-internet","category-internet-consumer-identity","category-security","tag-facebook","tag-google","tag-higgins","tag-myspace","tag-openid","tag-passwords","tag-saml","tag-security","tag-yahoo"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=783"}],"version-history":[{"count":3,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/783\/revisions"}],"predecessor-version":[{"id":786,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/783\/revisions\/786"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}