April 11, 2018
My fellow Forrester analysts have been covering the data and privacy implications of the Facebook/Cambridge Analytica scandal in several excellent blog posts, such as this one and this from yesterday, but this scandal has highlighted some CIAM-specific implications that CISOs and CMOs need to assess, particularly around the future role of social login.
For those unfamiliar with the concept, social login enables users to create accounts at websites using their existing social identities to avoid having to create yet another username/password combo. This approach reduces friction during the authentication process, can improve user engagement, and is offered at a wide range of B2C sites. Social login also delivers more than user experience benefits; for business and marketers, it provides the opportunity to collect more data about customers, such as demographic data and other interests, all of which can be used to improve targeting and personalization.
Social login adoption can vary greatly and often depends on the target user demographic and factors such as whether it is done via a mobile app or desktop browser. Facebook is the most commonly offered social identity provider (along with Google+, Twitter, and LinkedIn). Based on discussions with clients, Facebook is also usually the most commonly used social identity provider.
This is why CISOs and marketers need to pay attention to recent specific changes to Facebook Login. These changes were announced by CEO Mark Zuckerberg on March 21, but further details were provided in an April 4 announcement from CTO Mike Schroepfer. These changes reduce the data a user provides to an app at signup and limit the type of Facebook data that apps can access, including removing a developer’s ability to request data if the user has not interacted with the app in three months.
While these are all prudent steps that will improve user privacy, it raises real questions about the efficacy of social login with a Facebook identity. The impact is twofold. One, users’ loss of trust in Facebook (and any other social identity by association) could reduce the likelihood of users even wanting to sign up with a social identity. Two, the new data-sharing restrictions reduce the personalization options and may make social login unattractive to marketers.
Even if social identity does not have high adoption, these changes could drastically alter the role of social identity/login and force companies to return to requiring users to create usernames/passwords and deal with the resulting account login support chaos. This also makes it incumbent on organizations that want to use social login to provide very explicit detail about what data they’re using from social identity providers and how they’re meeting data collection policies.
It’s too early to assess the longer-term implications of Facebook’s change, but if your organization is currently using social login for B2C use cases (or planning to support it in future), this is something to monitor. It may also lead to CIAM vendors changing their road map as they prioritize other integration and authentication features over building broad social identity provider support.
The other IAM issue relates to Facebook’s suspension of its search and account recovery feature. This feature allowed people to enter someone else’s phone number or email address to help locate friends. Based on the post, it appears that fraudsters abused it to scrape public profile information.
The news is also relevant to any organization that allows some form of account lookup or recovery feature and means that it’s worth looking at such processes to see if the mechanisms can be compromised. One example is designing the “forgotten username” UI so the site does not return a confirmation that the username was found. Instead, it should just state that the information will be sent to the email address on file. This helps obscure whether the user has an account at a site and is a useful defense against hackers.
Special thanks to my S&R colleagues Stephanie Balaouras, Andras Cser, and Nick Hayes for their review of this blog.