Actu
SecurEnvoy warns businesses on dangers of Mozilla Persona single-sign-on service
October 2012 by SecurEnvoy
Commenting on the launch of the beta of Mozilla’s Persona service - which is designed to offer desktop and mobile users of Firefox a single-sign-on (SSO) login process on a wide variety of Web sites and services - SecurEnvoy says the service could prove a security risk for businesses.
According to Andy Kemshall, CTO and co-founder of SecurEnvoy, unlike similar services from Facebook and Google, Persona looks set to be introduced as a de-facto standard to users of the mobile version of the Firefox browser, which is now gaining ground against the competition.
"From there it’s a convenient hop for mobile Firefox users to start using the Persona service on their desktop, but SSO is only as secure as its weakest link - and I have not seen anything to persuade me that the Persona service is any more secure than a conventional ID/password combination," he said.
"If anything, the pervasive nature of the Persona service - which is based on the Mozilla BrowserID project - is less secure simply because it will be used on multiple platforms across multiple sites, meaning the security is only as strong as the weakest site’s security," he added.
The CTO of the inventor of tokenless two-factor authentication (2FA) technology went on to say that if any of the mobile devices were logged on in a public environment, hacker can easily “shoulder surf” the Persona login credentials for the user - so gaining access to multiple sites in the process.
It doesn’t, he says, take a security expert to realise the dangers of using Persona for business services, which he likens to the usage of financial account aggregation services designed to allow access to multiple - and disparate - bank and credit card accounts via a single portal.
These aggregation services, whilst popular, he adds, are a clear security risk, which is why a growing number of banks expressly forbid their usage in their terms and conditions. If an account holder uses such services, they do so at their own risk.
"The irony about Persona is that we have developed a tokenless 2FA process that uses a mobile phone for authentication, meaning that smartphone Persona users could move on up to the far higher security benefits of our SecurAccess solution for accessing businesses applications and data,” he said.
“Persona may be a great idea for simple consumer applications such as low-security social networking Web sites and services, but there are distinct dangers of using the service for business applications. We think it’s far too easy for a member of staff to use Persona for `securing’ access to a Web portal where business information is being stored,” he added.
