Blogs
Highlights
Categories
Tags
Apple application management Big Data Bring your own device Business Business Models Changing Customer Cloud cloud computing Collaboration Connected World Consumerization Current Affairs data downturn Education enterprise architecture Facebook generation y Google Innovation IT Leadership J2016 Java London2012 media Microsoft mobile Mobility open innovation open source Oracle recession SaaS Security semantic web Smart Mobility social media Social networking Sustainability The Future! Tracks Transformation Trends Twitter virtualisation Vision web White Papers Working in ITFeatured Today
Is facebook the new Active Directory?
October 19th, 2011 Korbinian Lehner
Social gaming sites like FlipLife and shopping portals such as Groupon are increasingly using Facebook for authentication. This raises the question whether this will have an impact on authentication and identification services (and catalogue services) like Active Directory for enterprise customers.
In recent months the social network Facebook has improved their website and services in many ways. It is not widely known that they also improved the capability to use Facebook as an alternative login method for other websites. While most Facebook users only look at changes in the web interface (like the new timeline functionality) or the granularity of the security settings, Facebook has increasingly gained importance outside the Facebook webpage. The “Like” button today can be found on most blogs and web magazines, the “login with Facebook” button today is installed on more and more websites (currently around 25,000). For the end user this option has the big advantage of avoiding re-entering data when signing up to an account or logging in to one of these websites. The user just has to remember a single password – and even this is often not necessary because the Facebook credentials are stored within a cookie on their computer or tablet. Facebook is using its large userbase to make this service popular as well as giving websites access to the data they need from the Facebook profile.
So will this have an impact on authentication to enterprise networks? Given the popularity of Software-as-a-Service (SaaS) offerings like Salesforce.com and Google this deserves serious consideration. Web based authentication methods are used for most SaaS services; Google has just implemented their “ID-universum” and this is also used for authentication on notebooks (e.g. the Google chromebook) as well as for logging on to Google Apps and Google+. In addition “consumerization” also plays an important role. Authentication may be impacted by concepts such as Bring-Your-Own-PC (BYOPC) and social media tools which are blurring the boundary between business and private use of services and devices.
Enterprises today make extensive use of Active Directory (AD); This LDAP-based catalogue service is more than 14 years old. Its catalogue supports login processes (including password verification and providing some user data) as well as providing services, such as facilitating software deployment. The services of an AD can of course only be used within a specified environment or domain. AD provides these services using secure authentication and encryption mechanisms like Kerberos. This contrasts with Google and facebook who do not use security protocols but are free, simple to use and ubiquitous.
Why might companies outsource their authentication process to a social network? In addition to cost-reduction (as no own AD is infrastructure needed and end-users would maintain their own Facebook profiles) there are other reasons:
- Consistency with the general trend to outsource non-core activities
- Why distribute internal flags for user groups when this also can be done easily via a Facebook algorithm? Isn’t the approach of the chromebook right, to logon into the ‘net and the device and the environments beside the Internet blurs more and more?
But much as I like this public “single-sign-on”-service, we should also consider security. Of course, you cannot compare a profile in a public network with a today’s ActiveDirectory environment from a security perspective. Beside the fact that most social networks apply the user-data for advertising purposes, often dozens of applications from 3rd party vendors (so called social network apps) also have access to some user data. Additionally, access tokens for websites are often stored as cookies on a local machine which makes it much easier to attack the system.
The question is therefore whether to replace a rather sophisticated but expensive ActiveDirectory infrastructure with a simpler but (perhaps) less secure mechanism. In reality the full replacement of a ActiveDirectory by a Facebook profile is not going to happen in the short term. However in the medium term the use of open authentication systems will grow – and the “login with Facebook” and Google buttons will lead this trend.
Categories: Scientific Community, Strategy & Innovation, Technology, Trends
Korbinian Lehner
Korbinian Lehner is a technology strategy director within the Chief Technology Office and a member of the Atos Scientific Community. In his current role he collaborates with colleagues globally, partners and customers to identify and exploit emerging and disruptive technologies for the benefit of Atos customers. In addition, he is engaged to detect upcoming adaptive workplace market trends and future topics that can involve managed IT services. Korbinian has been in the IT industry since 2002 and is an expert in the market of desktop/workplace services, end-user computing, end-user security and application & desktop virtualization as well as for social media and innovation rapid prototyping. Prior to becoming part of the CTO, he headed the innovation team and led the portfolio for desktop and service desk services at Siemens IT Solutions and Services.
Look at this from the point if view of the Market.
The number of ad logins in the Market is far less than the number of twitter And fb logins.
Identitiy solutions offered as saas will have to compete with them
So if you are the person who invents a cool new saas collaboration tool which provider will you design against ?
Increasingly the answer will be fb.
Identity needs to move with the user, so the capability to log in using Facebook or Google (etc) credentials is certainly a part of a trend away from domain based authentication. However, enterprises also need a level of trust in the identity of their users that’s far greater than any of the consumer services can currently provide. That gap could potentially be bridged by leveraging “official” identity resources, such as passports or driving licenses that offer a far more reliable baseline.
Korbinian,
In implementing a a Federated Identity management solution, Facebook was able to do what many enterprises have aspired to do for sometime. Enable single sign-on across the portfolio of applications that are important to the end-user. Facebook did it for obvious reason, it keeps their users captive, it allows them to collect more and more data on the habits of their users and it opens upon their possibility of Facebook moving into more and more business segments. Other providers subscribe to it because they get to “outsource” identity management for free, they only need to trust that Facebook has vetted the person. While enterprises might not go to Facebook to be their directory, they will take these lessons and apply it internally. It is just another example of the consumerization of IT services.
Another issue is the need for x-platform authentication tokens in order to leverage SaaS integration scenarios. An on-premise AD is less likely to support this efficiently than an open authentication platform. Bearing necessary security measures in mind this could also be done by a fb-like or any other social networking platform capable of providing an authentication and identity framework as well as secure validation workflows.