How secure is your social login?

November 29th, 2018   |     |  security & compliance

Social websites have become such a significant portion of almost everyone’s online life. Communities of billions of active users - including everyday users, celebrities, prime ministers and presidents - share their most intimate life details on these sites, capturing moments with pictures and videos.

It’s no wonder that individual hackers, criminal organizations, and even state-sponsored hackers are interested in attacking these platforms. Just in the past few months, we have seen dozens of reports of Instagram account takeovers, a reported massive breach at Facebook, and an announcement from Google+ following a newly discovered vulnerability in their API’s. I also recently wrote about Reddit employee accounts being hacked.

By and large, social network providers have reacted to this threat by enhancing their built-in security and anti-fraud controls. In particular, they have been implementing much more consistent support for one of the simplest - and probably one of the most effective - methods of boosting account security, multi-factor-authentication (MFA).

What kind of MFA does your social media support?

We at OneLogin were curious about how different social platforms vary in their types of MFA support. So we decided to survey the leading US social media sites to better understand what platforms offer what. To keep things simple, we focused on the three most common aspects of authentication:

1. Text message-based authentication: Text-based authentication, also known as SMS authentication, is still one of the most common forms of second-factor authentication. While it is better than just a password, it’s regarded as a less secure option compared to other alternatives.

2. Mobile authenticator: By this, we mean mobile apps that provide a one-time authentication code. Think of Google Authenticator or our own OneLogin Protect. These free mobile apps use your smartphone as a security token to provide a simple login experience that is much more secure than text-based authentication.

3. Multiple devices: This is an important additional capability that lets users register two or more devices. In case of an emergency - such as when a phone is lost, damaged or stolen - a second device can be used to recover access to your account. For example, if you lost your personal phone, you could still use your work phone or even iPad to sign into your account.

The table below summarizes our findings on different social platforms’ MFA support:

mfa support

* WhatsApp offers “two-step verification” which is different from multi-factor authentication.
** Instagram support for Mobile Authenticator is new and still only available for some users.
*** The table represents the current state of the implementation as of October 2018.

Key takeaways

1. Offering some method of MFA has become standard for social platforms
The table above demonstrates that while there are still mixed levels of support for different MFA factors, at least a basic level of multi-factor authentication is supported by almost all these services. This coincides with a greater trend of MFA adoption for both services and users.

In fact, the number of OneLogin users who adopted MFA has doubled in the past year, as admins have become wiser to the importance of a second factor, and the increased simplicity of configuration. This is great to see, as MFA implementation may offer the highest ROI of any personal account-security feature.

2. Reddit has learned from their mistake.
After suffering a breach via insecure SMS-based authentication last month, Reddit stated, “…we learned that SMS-based authentication is not nearly as secure as we would hope.” They even went so far as to say that they “…encourage everyone here to move to token-based 2FA.”

It seems that Reddit is really putting their money where their mouth is, as they no longer support MFA via text messaging at all, and are one of the few platforms on this list to support multiple authentication devices.

This is, to some extent, representative of the greater security community. In many cases, organizations need to “learn the hard way” before discovering an area of vulnerability and acting upon it. Unfortunately, not all social platforms in this list seem to have learned from Reddit’s experience.

3. Facebook and Google have the broadest support for MFA
Of the ten platforms in this list, only Facebook, Google/Youtube, and Reddit support multiple authentication devices. As platforms that house a wealth of sensitive data, it’s expected that Facebook and Google would be investing in security controls, and be leaders in the social MFA space. And having just undergone a serious data breach as a direct result of SMS-based authentication, it’s understandable that Reddit would move toward this authentication aspect as well.

What does surprise me, however, is that support for multiple authentication devices is not more prevalent among other leading social platforms - especially heavy hitters like Linkedin and Twitter. We hope to see more developments ont front in the near future.

4. Text-based MFA is still prevalent (unfortunately.)
Other than Reddit, just about every other social platform in this list continues to support text-based authentication. It’s a little concerning - though not especially surprising - that this fairly vulnerable authentication factor is still so common. What is very concerning, however, is just how few platforms support other forms of MFA.

It’s good to see that Instagram is working on support for mobile authenticators. But major players like Pinterest, Twitter, and even LinkedIn are still behind, relying exclusively on text-based authentication. I think it’s safe to assume that more social platforms will continue to adopt different MFA options in the next couple of years. Though, the sooner they do, the better.

In summary, it’s interesting to see how different social platforms are approaching the subject of MFA. Some are lagging behind with outdated tools, while others are adapting in response to new types of threats. We also should expect to see even more developments in the implementation of emerging best practices and standards, such as WebAuthN once it is officially approved and implemented by more players.

Finally, I want to leave you with this simple recommendation: Use MFA, and urge your family and friends to do the same. MFA is available (almost) everywhere, is free for you to use, and dramatically improves your cyber-protection. Even if text message-based authentication is all that your social platform supports, it is still much, much better than nothing.

Learn more about our mobile authenticator, OneLogin Protect. Or install the app on your iOS or Android devices. Stay safe out there.

About the Author

Ehud Amiri is a Senior Director for Product Management at OneLogin. Ehud is passionate about making the world safer by embracing new ways to trust people, devices & applications so that security becomes both effective and frictionless. Prior to joining OneLogin, Ehud served in various product management and engineering roles at CA Technologies, Netegrity, and Business Layers.

View all posts by Ehud Amiri

About the Author

Ehud Amiri is a Senior Director for Product Management at OneLogin. Ehud is passionate about making the world safer by embracing new ways to trust people, devices & applications so that security becomes both effective and frictionless. Prior to joining OneLogin, Ehud served in various product management and engineering roles at CA Technologies, Netegrity, and Business Layers.

View all posts by Ehud Amiri

Secure All Your Apps, Users, and Devices