Is Bring Your Own Identity a security risk or advantage?

Questions abound over sites authenticating users via identities established through social networks, Yahoo Ponemon Institute survey shows.

The "Bring Your Own Identity" (BYOID) trend in which websites let users authenticate using identities established through Facebook, LinkedIn, Google, Amazon, Microsoft Live, Yahoo or other means raises some questions in the minds of IT and business managers. And a survey conducted by Ponemon Institute shows a vast difference in how the IT and business sides think about this so-called BYOID method of authentication.

Ponemon asked 1,589 IT and security practitioners and 1,526 business staff personnel, many of them in managerial roles, about what they thought about BYOID and whether it could be used to simplify online authentication for everyone from employees to contractors to retirees to website customers or mobile customers. Both the IT and business sides said they considered BYOID as a way to simplify interactions with customers on the web and mobile devices. Both sides saw it as a way to make registration of new customers easier for them and the organization, plus possible cost reduction related to forgotten passwords and other sign-in problems. But beyond that, the IT and business personnel had differing perspectives about BYOID.

+More on Network World: The Worst Security SNAFUs this year (so far!)+

Three-quarters of the business staff answering the survey saw BYOID mainly as a way to either "reduce friction in the user experience" or "simply engagement for users" as a form of "identity validation." Over half of the business managers thought BYOID would increase revenues for the organization, with many envisioning "targeted marketing." Less than 15% on the IT side shared this view.

According to the Ponemon survey, 67% of the IT and security respondents saw BYOID as a way to strengthen the authentication process and 55% said it could be a way to improve risk evaluation and decrease fraud. Only about 15% of business people felt that way. IT and security personnel thought more important that the "identity provider" in any BYOID arrangement have some sort of "formal accreditation."

Respondents on the IT side ranked PayPal, Google and Amazon as the top three preferred identity providers to their organization. Yahoo was ranked of least interest. The business staff ranked Amazon, Microsoft Live and PayPal as the top three identity providers for their employers, with Facebook ranked the least.

When it comes to perceived barriers to BYOID deployment, IT and security personnel were far more concerned about risk and liability concerns and "loss of control" than the business staff. Business staff worried more about "cost."

"Organizations that accept third-party identities also worry about instances where an identity is compromised and non-legitimate access is granted to applications or customer data," the Ponemon survey points out.

Not surprisingly, IT and security personnel regard BYOID in a far more technical light, with 57% saying they would feel more favorably about BYOID adoption if the identity provider would implement "fraud risk engines" while 66% said they wanted "multi-factor authentication." These were of interest to only about a third of the business staff. For mobile devices, four-digit PINs and one-time tokens were more important to IT personnel, while "geo-location" tracking was important to more than half of the business staff.

Both the IT and business sides, though, did want identity providers to give them information related to security issues such as "history of password re-sets," if the account had been abused, the history of identity takeovers, how long the user account had been established and whether it had ever been suspended. IT personnel also want to have a phone number tied to the account.

The Ponemon survey concluded with the recommendation that the IT and business sides should have a "collaborative discussion" around BYOID in terms of how it might fit into any planned projects.

"This exercise could include basic simulation/modeling of a new online initiative with BYOID and without BYOID," the Ponemon report said. "This will help address key questions: Will supporting BYOID increase new customer acquisition? Are the costs of continuing to require users to create and maintain their own accounts more than the incremental value that is generated by BYOID?" But before any use of BYOID, a thorough risk analysis should be done by a corporate team that includes legal and business expertise to understand any liability issues.

Join the CSO newsletter!

Error: Please check your email address.

Tags YahooGoogleMicrosoftsecurityLinkedInPonemon InstitutethreeFacebooknetwork security

More about Amazon Web ServicesFacebookGoogleMicrosoftPayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place