Earlier this week I cam across a blog post that stated:
“External parties can connect to a SharePoint environment using credentials from popular social sites such as LinkedIn, Facebook, Twitter, Google+ and Microsoft Account (Live ID).”
My first reaction was, “great – one less online password to remember”! But then I started question that being a good idea.
Blurring the lines
Usually people use personal accounts for social sites while in comparison a company deals with people using their business accounts.
This would blur the boundary between me (Frank as a private person) and me (Frank as a business person, currently employed at XYZ with a job objective ABC). Having on my mobile device both accounts is “bad” enough!
The next challenge is creating a problem down the track when I start working for a different organisation (could be a competitor, a provider, …) with a changed business relationships and I have still access to the original shared environment. In my experience organisations have often difficulties with people moving jobs (roles) within the organisation. This situation is fairly similar as the core identifier for authentication stays the same when the role and with it the access rights change.
Open Authentication services
I realise the corresponding “business” attempts OAuth and OpenID are not very successful. These systems are used by specific sites and have some respective implementations. Although most I know of are IT related (eg Google developer) and whilst OpenID states the benefits for Government, it is aimed towards what in New Zealand is called “The Real Me” – a personal identification.
Again, it is not appealing for business to business authentication on employee level.
The social sites
From the social sites that AuthentiMate is supporting LinkedIn is the closest one I could see addressing the business need.
From a quick personal poll:
- LinkedIn – authentication is personal, purpose is business relationships
- FaceBook – authentication is personal, purpose is personal relationships
- Twitter – authentication is personal, purpose is gauging trends and voicing opinions in topics of interests
- Windows – authentication is personal, purpose is IT (business and personal)
- Google+ – authentication is personal, purpose is personal relationships
- Apple – authentication is personal, purpose is IT
Although, most people I asked don’t use their business email as the primary email in LinkedIn because a role can change.
Another aspect is access security from a business perspective. Many people have low level security (password selection and change frequency) for social sites. There is no denying this. We all prefer convenience over security otherwise this blog-post wouldn’t even be coming up!
For personal critical systems (eg. banking) people are more careful (hopefully). Social sites are seen as less critical and as such more often targeted by hackers and spammers. Hence the risk of unauthorised access to a business critical system is enormous and uncontrollable by the business if and when authentication would be linked to social sites.
The more I think about it the less appealing it becomes. I recommend thinking twice before linking business tools with public social networks.