Facebook authentication - Like?
As Cisco teams up with Facebook to offer authentication for public Wi-Fi, is this option safe for businesses?
The ubiquity of public Wi-Fi is a blessing and a curse. It can be very convenient as a quick, easy and usually cheap way of getting online when you are away from home, the office or abroad, and it is perfect for firing up the laptop or tablet and getting a bit of work done while you sip a coffee.
On the flip side, there is no way of knowing how safe a public Wi-Fi network really is. It is possible the important work email you have just sent over a latte is being read by someone other than its intended recipient.
Unsecured Wi-Fi networks are a godsend for cyber criminals; any information sent across them – whether it’s log-in details for your company email or your favourite website or payment information – can be intercepted.
That is how Google ended up grabbing private data from unsuspecting people across the world. Its Google Street View cars collected unsecured and unencrypted data as they drove around the world. The collected data included IP addresses, usernames, passwords, emails (metadata as well as content) and internet usage history. Google has so far paid out millions in fines across the world as a result of its actions.
A poorly secured Wi-Fi network was also behind one of the biggest cyber thefts of all time. In 2007, US retailer TJ Maxx left a Wi-Fi network inadequately secured and hackers used nothing more than an antenna and a laptop to intercept traffic as it moved across. Using stolen information, they gained access to a central server and made off with the details of 500,000 people and 45 million credit and debit cards.
The truth is it is difficult to know how secure a public Wi-Fi network really is. But sometimes you have to connect to one, maybe to send an important email, attend a meeting online or download a must-have document.
Ease of use
Often when you do find somewhere offering free Wi-Fi, the authentication process can be laborious; a long, complicated password containing upper and lower case letters as well as numbers; a one-time username and password combination that gives you 45 minutes access before it cuts off; or a password sent as a text message to your phone.
That is where an initiative from Facebook and Cisco could come in. Called Cisco Connected Mobile Experiences (CMX) for Facebook Wi-Fi, it enables people to sign in to public Wi-Fi via their Facebook account. Checking in at a venue grants the user access to the wireless network. It aims to make signing on to public Wi-Fi much quicker and easier for the customer and benefit the supplier by enabling them to push customer offers to those Facebook users who have checked in.
Read more about public Wi-Fi
- Case Study: London Symphony Orchestra fine tunes Wi-Fi
- Cardiff chooses BT for free Wi-Fi project
- Goodbye Wi-Fi, hello WiGig
- What is stopping the NHS rolling out Wi-Fi access?
Cisco’s role is to provide the wireless infrastructure, with access points sold via its subsidiary Meraki and APIs that Cisco offers through its Connected Mobile Experience platform.
The user will have to deal with targeted adverts popping up and will have to publicly “check in” to wherever they are, but apart from that, the procedure for getting on to the wireless network should be painless. But what are the drawbacks? And how safe is it?
Fake log-in pages
According to Andrew Buss of analyst group IDC, logging in through Facebook could in fact be a more secure way of using public Wi-Fi.
“Public Wi-Fi is notoriously difficult to secure,” he said. “How do you trust the sign-in page you give your details to? There are examples of people setting up fake pages with fake log-in and payment info. I think wildly trusting any public Wi-Fi hotspot through a Facebook log-in probably doesn’t hit the mark.”
“As with any public Wi-Fi connection, any sensitive information should be hidden away and avoid where possible giving personal information and payment details. Be sensible and treat it in the same way as any open connection.”
Individuals would be forgiven for worrying about what happens to their data when they connect via Facebook, but the social network points out users can make the check-in private, so it doesn’t appear on their news feed. In addition to this, data sent to the merchant – which includes age, gender and other demographic data – is anonymous. If a user doesn’t have a Facebook account, or simply does not want to use it to authenticate, then suppliers will offer a more traditional way of logging on, Facebook said.
Protecting corporate data
But what of those workers who may be on a work laptop and need to get online when away from the office? Then the issue becomes about protecting corporate data, not just personal data, according to Simon Shooter, partner at law firm Bird & Bird. Using public Wi-Fi and authenticating via Facebook, rather than a company’s own system, could expose the corporate network to malware and other cyber attacks.
“Looking after data is a company’s own responsibility,” Shooter said. “One of the possibilities of the new EU directive – which is still very much up for discussion – is that companies will be under obligation to take prudent measures to protect themselves against cyber attacks.”
Read more about Facebook
- Exclusive interview: Facebook CIO, Tim Campos
- Facebook invests £100,000 in open source education programme
- Open source datacentre hardware helps Facebook save costs
- Facebook will not allow anyone to hide
“If, for example, it was identified that access through Facebook and/or public Wi-Fi was a gap in your armament, then not having a policy statement that says staff may not use these services may make it difficult to prove you had adequate defences in place.”
Both Shooter and Buss agree businesses will find it very difficult to stop workers using free public Wi-Fi, and they will often bypass tough security measures if there is a quicker and easier alternative. Authenticating via Facebook to get online with one click is an easy step to take, but then workers will often skip the next step, such as connecting to a VPN, if that is a complicated procedure.
To discourage users from taking the easy option and risk exposing corporate data, businesses should make it easier for workers to connect to a secured network.
“If it’s not as easy to do it in the proffered way, people will always find an alternative way,” said Shooter. “People default to what’s easy. But from a corporate point of view you want to have a commonality of log-in points. So you’re ensuring your devices are marshalled at the same point; herding your staff through a common gate is the way to go.”
Buss added: “I’m all for something that makes it much easier to sign in, especially in today’s age of smartphones where you have to keep typing in usernames and passwords; it quickly becomes tiring. However, I really can’t see the need to tie-in with Facebook. If you’re providing it as a service, a business shouldn’t need to acquire identity information. Clicking an ‘accept terms and conditions’ button should be enough.”
“The main thing is to try to avoid sending sensitive information over a public network. If you have to do it, make sure it’s through a VPN with a secure connection, and make sure you’re using your own device rather than a public one.”
The future of authentication
Ultimately, it is advisable for businesses to discourage workers from using public Wi-Fi where possible, and it is difficult to see how this Facebook initiative will help improve security and data protection in enterprises. If individuals want to use it, then it is certainly a quick and easy way to get online, and should not compromise personal privacy any more than other Facebook activities and general web habits do.
It is likely authentication of this sort will be on the rise over the next few years - merchants get to send targeted adverts and offers to users, as well as increase their profile on Facebook, while users get a quick and easy way to access free Wi-Fi. The key for businesses is to ensure workers are aware of any policies regarding accessing sensitive information over a public network and, where possible, ensure any public network is supplemented by something more secure, such as a VPN connection.