Should Social Sign-in be Used For Financial Services?
2 December 2011
Earlier this week, startup Movenbank
came under fire
for allowing users to its alpha site to sign in using Facebook credentials. Should Facebook be used to identify and authenticate users at a banking site? I commend the Movenbank team for trying something different and for attempting to use a standard that's already in place. I understand the concept and the idea behind using a social tool. However, I don't believe that a Facebook Connect login has a home on a secure banking site. Firstly, Facebook and privacy don't exactly go hand in hand. Even more importantly, Movenbank is a front end solution and is going to require bank partners sitting in the background. I'm not aware of too many banks that are going to be comfortable with the notion of a Facebook login. Facebook and banking are still like oil and water and it's going to take quite some time before that changes. There's good reason for this. Facebook is still too much of an open book and Facebook Connect isn't exactly the most secure thing around. The online video site Hulu is an excellent example. Earlier this year, a small number of Hulu users found this out the hard way
- users were being erroneously logged into the accounts of other users. Hulu claimed
, "that it was a coding and configuration error on Hulu's side, and not the result of hacking, or other third party actions, or a vulnerability in Facebook Connect." Sure Hulu, this had nothing to do with the third party tool... Facebook Connect isn't ready for prime time for online or mobile banking. There are many who are going to disagree with me here, particularly given the popularity of Facebook Connect. Sure, it's cheap and fast to get up and running. Cheap and fast doesn't equate to secure or private, particularly once the FFIEC gets into the picture. To be fair Movenbank does plan to
, "supplement the registration and login features with additional authentication channels, including a private, Movenbank-specific user identity." Now I'm not sure what "supplement" means here exactly, but I take it to mean that the user will have options and a second factor of authentication. I hope one of the options is not Facebook.