Social Networks for Authenticating Corporate Sites? Forget About It!
It's a great tool. But is it the right tool for the job?
Increasingly, web sites are allowing people to login using one of their existing social networking accounts. And for good reason. It makes life easier for users. Instead of having to signup for a new account and remember what login and password they used for a site, users can login using their account at Twitter, Facebook or another service. That can overcome the reluctance that a potential user might have to create an account at a site. The user will just use their login to whatever service is allowed by the site and boom! The site has another user that they might not otherwise have had.
Sounds great. Maybe we should use these social networking accounts to login everywhere. Why not use our Twitter or Facebook login to access our work accounts, too? At least that’s what a guest author on ReadWriteWeb suggested.
While I think enabling those types of logins on a customer facing site is great because of how it makes things easier on users, it’s not a good idea when dealing with corporate accounts and employees. The first problem is that people get phished all the time on those accounts. Plus, people often use the same logins and passwords across multiple social networking accounts. That means that if hackers compromised any of those accounts, they could probably gain access to your company’s servers.
On the other hand, there are those people who wouldn’t want to have their social networking accounts tied to their jobs. That could be due to fear that they are potentially giving their employers access to their social networking accounts. So, they would just open another account solely for the purpose of accessing work resources. In that case, you haven’t gained anything and you have given control to the system used to authenticate your users to a 3rd party company that you probably aren’t even paying. That means that they aren’t as motivated to ensure that their servers are up when you need them to be. If they need to take their servers down in the middle of the day for some reason, a portion (or all) of your users won’t be able to work and there will be nothing you can do to fix that.
Plus, you could have potential issues if the company ever changed the way they handled their authentication and APIs. And don’t forget to think about what would happen if one of these companies went out of business overnight or was acquired by another company and integrated into the other company’s authentication system. Either example could be a nightmare at best and a disaster at worst.
Now the original post on RWW said that their suggestion was counter intuitive. I agree with that, but I would go farther and say it’s dangerous. Human nature being what it is, allowing users to login to their corporate accounts using Twitter or Facebook is not a good business decision. In fact, it’s a very bad one.
Related posts:
I wouldn’t want to log in to an “important” site (banking, etc.) using a social network account. I find this whole idea of using social-network accounts to log in to other sites as a way to grandma proof the login process. I’m OK with registering a new username when necessary, with a site I’ve not used before. It only takes a few minutes, and it seems much more secure to me. If it was something like a blog or other social-network kinda site, I might feel better about it. Otherwise, no thanks.