The Scientific Community

Is facebook the new Active Directory?

Social gaming sites like FlipLife and shopping portals such as Groupon are increasingly using Facebook for authentication. This raises the question whether this will have an impact on authentication and identification services (and catalogue services) like Active Directory for enterprise customers.

In recent months the social network Facebook has improved their website and services  in many ways. It is not widely known that they also improved the capability to use Facebook as an alternative login method for other websites. While most Facebook users only look at changes in the web interface (like the new timeline functionality) or the granularity of the security settings, Facebook has increasingly gained importance outside the Facebook webpage. The “Like” button today can be found on most blogs and web magazines, the “login with Facebook” button today is installed on more and more websites (currently around 25,000). For the end user this option has the big advantage of avoiding re-entering data when signing up to an account or logging in to one of these websites. The user just has to remember a single password – and even this is often not necessary because the Facebook credentials are stored within a cookie on their computer or tablet. Facebook is using its large userbase to make this service popular as well as giving websites access to the data they need from the Facebook profile.

So will this have an impact on authentication to enterprise networks? Given the popularity of Software-as-a-Service (SaaS) offerings like Salesforce.com and Google this deserves serious consideration. Web based authentication methods are used for most SaaS services; Google has just implemented their “ID-universum” and this is also used for authentication on notebooks (e.g. the Google chromebook) as well as for logging on to Google Apps and Google+. In addition “consumerization” also plays an important role. Authentication may be impacted by concepts such as Bring-Your-Own-PC (BYOPC) and  social media tools which are blurring the boundary between business and private  use of services and devices.

Enterprises today make extensive use of Active Directory (AD); This LDAP-based catalogue service is more than 14 years old. Its catalogue supports login processes (including password verification and providing some user data) as well as providing services, such as facilitating software deployment. The services of an AD can of course only be used within a specified environment or domain. AD provides these services using secure authentication and encryption mechanisms like Kerberos. This contrasts with Google and facebook who do not use security protocols but are free, simple to use and ubiquitous.

Why might companies outsource their authentication process to a social network? In addition to cost-reduction (as no own AD is infrastructure needed and end-users would maintain their own Facebook profiles) there are other reasons:

• Consistency with the general trend to outsource non-core activities
• Why distribute internal flags for user groups when this also can be done easily via a Facebook algorithm? Isn’t the approach of the chromebook right, to logon into the ‘net and the device and the environments beside the Internet blurs more and more?

But much as I like this public “single-sign-on”-service, we should also consider security. Of course, you cannot compare a profile in a public network with a today’s ActiveDirectory environment from a security perspective. Beside the fact that most social networks apply the user-data for advertising purposes, often dozens of applications from 3rd party vendors (so called social network apps) also have access to some user data. Additionally, access tokens for websites are often stored as cookies on a local machine which makes it much easier to attack the system.

The question is therefore whether to replace a rather sophisticated but expensive ActiveDirectory infrastructure with a simpler but (perhaps) less secure mechanism.  In reality the full replacement of a ActiveDirectory by a Facebook profile is not going to happen in the short term. However in the medium term the use of open authentication systems will grow – and the “login with Facebook” and Google buttons will lead this trend.