Where is the Enterprise Authentication in iOS
After Apple added Twitter authentication in iOS 5, iOS 6 will do the same for Facebook.
While some may think this is just another Silicon Valley partnership thingie, I actually think it’s a big deal, even in an enterprise context. And it’s not about pressing LIKE on an app. Read on.
We recently had to discuss several password leaks from sites like LinkedIn, eHarmony and last.fm.I think everyone is perfectly clear that it’s not a good idea to either use weak passwords or re-use the same password over and over again.
But still, if you’re really really honest to yourself you’ll have to admit that you’re doing it. And probably not only once. One of the worst offenders is often the enterprise environment, where you’ll have countless passwords to manage, sometimes (always?) with incoherent password policies. The different requirements, coupled with weird change frequencies, may drive you to re-use passwords, often simple ones, to make life bearable. And insecure.
This is where the Twitter an Facebook integration come in. Both sites support an authentication method called “OAUTH” which allows you to sign into another site (which needs to implement support for OAUTH – see documentation from Twitter and Facebook) with your Twitter or Facebook credentials. Google also supports OAUTH for lots of sites.
Here’s a rough description of how it works:
- You arrive at a new site that offers OAUTH authentication
- You select your identity provider (Twitter, Facebook, Google)
- You’re being redirected to this site where you login and allow the identity provider to pass on your credentials to the new site
- The new site now has some form of credentials (like user ID or screen name) and the verification that those belong to you.
Why’s that a good thing? Let me count the ways:
- No need to give all your data to yet another new site. They just use what you have maintained at Twitter or Facebook (name, user ID, Avatar)
- NO NEED TO GIVE THEM YOUR PASSWORD! They just receive an authentication token, they’ll NEVER see your email adress or password!
- You control the authentication through your OAUTH provider. Check https://twitter.com/settings/applications for Twitter or https://www.facebook.com/settings?tab=applications for Facebook to check which applications already use your OAUTH credentials (it’s good practice to go through these lists every other week to see if everything in there still needs access…)
- You can always revoke the access token.
So, why is this a good thing in iOS specifically? Coming back to my opening paragraph, it’s quite easy to enter a long complex password _once_ in the Twitter and Facebook settings in iOS, then every iOS app supporting OAUTH should be able to ask for your permission without you having to re-enter a password. This makes it A LOT easier to sustain good passwords. If every new app requires you to manually type in a password you’ll be tempted to resort to something you can easily remember, which is kinda counter-productive.
And the enterprise implications? Sorry, we’re not there yet. One reason is that your employer will probably not allow you to loginn to your ERP system using your Facebook login. But what if a more enterprisey OAUTH provider allowed you to do that? With the growing number of mobile applications that might be an important mechanism to secure authentication for mobile enterprise services.
What is your experience with mobile apps and passwords? Are you already using the integrated OAUTH mechanisms? What if you could login to SCN with your Twitter ID? (just thinking…)