social login

Dark Lords of the Internet

Published June 9, 2014 | By Dan Blum

In last week’s Covert Redirects and Perverse Incentives I described an open redirect vulnerability in the OAuth protocol which social login providers may not fix because it would require locking out third parties with slack security practices but lucrative business… Continue reading →

Posted in Dan Blum | Tagged fraud, OAuth, OAuth; social login; fraud, social login

Covert OAuth Redirects and Perverse Incentives

Published June 3, 2014 | By Dan Blum

Covert redirect is a structural vulnerability in OAuth-based protocols. It was widely publicized in early May. Identity and security experts had long known about, but don’t have an easy fix. Once the media learned covert redirect isn’t as serious… Continue reading →

Posted in Dan Blum | Tagged covert redirect, federated identity, OAuth, OWASP, social login, vulnerability management

Managing OAuth Risks in Mobile Applications

Published October 29, 2013 | By Dan Blum

When, not if, endpoints get compromised OAuth tokens and other credentials become collateral damage. That means cyber-attackers may also compromise any resources available through OAuth 2.0, such as accounts at sites accessed through some social login systems or (potentially) HIPAA-protected… Continue reading →

Posted in Dan Blum | Tagged auhorization, IIW, OAuth, social login

Proposed OAuth 2.0 Assurance Session at IIW

Published October 14, 2013 | By Dan Blum

As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the… Continue reading →

Posted in Dan Blum | Tagged authorization, federated identity, IIW, OAuth, social login

Federated Identity: Broad or Strong?

Published September 10, 2013 | By Dan Blum

Broad deployments of federated identity have arrived in the form of social login. But in 2013 we find federation on the horns of a dilemma; can it be both broad and strong?

Federated identity, especially in the form OAuth… Continue reading →

Posted in Dan Blum | Tagged authentication, authorization, federated identity, identity management, OAuth, social login, trust, user-centric identity

Social Login Systems May Share too Much

Published August 20, 2013 | By Dan Blum

You thought you heard a click behind that site’s “Sign in with Facebook” button. But did you also hear the inaudible sigh of your personal data disappearing into the maw of yet another application?

Social login is the ability to… Continue reading →

Posted in Dan Blum | Tagged facebook, federated identity, identity management, privacy, social login

Back to the Future (of Federation)

Published August 15, 2013 | By Dan Blum

I recently developed a “history of federated identity” diagram and marveled at how it was similar, in many ways, to slides I created while working at Burton Group in 2004. Let’s take a look at a few diagrams and see… Continue reading →

Posted in Dan Blum | Tagged authentication, authorization, federated identity, identity management, privacy, Shibboleth, social login