UK government’s Facebook login proposals don’t hold water

Using Facebook login credentials to access UK government services? Yea, we can see a problem with that...
Using Facebook login credentials to access UK government services? Yea, we can see a problem with that...

“There’s been a lot of press comment about the programme today and we’re delighted to see that we’re (mostly) managing to get our message across – because this can all get quite complicated.” The key ideas according to the government spokesman are that it will not involve a large central government database of identities, and “users will be in control of their own information.” The basic concept is that government customers will be able to use the login details from their own preferred social network, or other approved service, in order to access government services.

Much of the subsequent public discussion revolved around whether this could indeed be ‘national identity’ by the back door, or whether it would require social networks such as Facebook to demand even more information from their users in order to verify individual identities. But there has been little discussion of the pure security side of the proposals.

Gavin Watson, senior security engineer and head of the social engineering team at RandomStorm is one expert who doesn’t believe the government’s proposal stacks up. “The government’s argument,” he told Infosecurity, “that sharing social media logins with government services will help to put security back in the hands of citizens and reduce login fatigue, does not hold water because there is ample evidence of people using the same passwords across multiple sites, even for their online banking.”

Watson accepts that other sites already use a similar principle; but he added, “these are normally restricted to sites that have some relationship to each other, such as the music streaming site Spotify allowing Facebook credentials to be used, and the social media influence site Klout accepting Twitter login. These sites have a direct relationship, so this login share makes sense.” He points out that, “A person’s true identity is not verified before they are given social media profile: it’s not like applying for a passport. There are plenty of examples of people creating profiles for their pet animals, or posing as celebrities on Twitter.”

Earlier this month Facebook announced that it had reached one billion users – leading to much conjecture on how many of these are genuine accounts (see, for example, the satirical cartoon by joyoftech.com). Watson is concerned that if it is this easy to create Facebook accounts, it might be this easy to fool government websites.

But Watson’s primary concern is the ease with which passwords have been stolen over the last year coupled with users’ tendency to reuse them on multiple sites. “In my view,” he told Infosecurity, “this is simply lowering the security threshold and encouraging people to be lazy about protecting their online identity. If one site gets compromised, they all do. As government services with a monetary value move online, then identity will become currency. Hacking access to a person’s online welfare services would cause genuine hardship and I would urge the government to think again.”

What’s hot on Infosecurity Magazine?