Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Social, Passwordless and SSO Data: What Can We Learn?

DZone's Guide to

Social, Passwordless and SSO Data: What Can We Learn?

Using the same password over and over is common among users, and a hated practice by security pros. Could other forms of login help eliminate this threat?

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

In 2017, we have more options than ever before for strong password management. Between social, enterprise, and Passwordless connections, companies that are ready to offer more than username and password have several good options.

This is great news, considering that 59% of consumers will admit that they reuse the same password—simply because it's too hard to remember a unique password for every account. In 2017, companies are offering simpler, safer options than just traditional username and password. And we're already seeing a big shift happen.

Let's check in on how things are changing, and what's staying the same.

What Types of Connections Are On The Rise?

Single Sign On (SSO) and Passwordless have been around for a while, even as traditional username and password (U/P) have been around much longer. In 2015, we launched Auth0 Passwordless, which removes passwords from the login process completely and instead uses TouchID, or “Magic Links” sent through SMS.

Since 2015, we've seen Passwordless grow at a fairly steady rate of 10,000-20,000 connections per month, though it hasn't yet caught up to social or enterprise login. Social connections saw a big increase in 2016 and it's easy to see why. Users log into your site with existing login information from a social network provider. It's quick and takes out a lot of friction for the user.

Here's our data for 2016. We can see how U/P, enterprise (authentication through LDAP, Microsoft, Google Apps, and other clients), social, and Passwordless connections stack up:

Username & Password vs Enterprise vs Social vs Passwordless

While traditional username and password logins still dominate at 67% in 2016, we also saw the number of social connections double from 2015.

In 2015, Passwordless and social together only amounted to 5% of our total use. We grouped them together as SSO here:

Total users

Yet in 2016, 11.10% of all logins were social connections. This tells us that more and more users are beginning to see social connection as a stronger, more convenient option than U/P.

Companies too are finding U/P less effective and less attractive, as offering social connection can increase conversion rates by as much as 50%. With more login options becoming available over the past few years, it can seem daunting to pick the right one and stick with it. Customer-facing apps would do well to include social in the mix.

Top Used Social Connections

Now that we've seen how social is rapidly becoming more popular with a 2x growth in connections from 2015 to 2016, let's take a closer look at which social platforms users are using to log in.

Throughout 2016, we collected data to find out which social connections were being used most often:

Social connections by popularity

In 2016, Google was the most popular social connection at 48.7%, nearly double Facebook's share at 26.6%. GitHub came in third place at 9% before Windows Live at 3.6%.

The biggest shift from our 2015 data is that Twitter dropped from fourth to seventh place, at 2.6%.

As in 2015, these distributions are roughly reflected in the estimated monthly site visits of each of these sites, according to data from Alexa.com, Google's and Facebook's visitor numbers are in the billions, while Windows Live and Twitter are dwarfed in the millions, with Twitter's use declining.

So, social connection is clearly growing in popularity, and as these numbers suggest, Google and Facebook are still driving a lot of that growth. Yet dark horse GitHub climbed up to third place for social login in 2016. A full 9% of social connections through Auth0 came through GitHub, a developer-focused site that barely has a fraction Google's user numbers.

If you want to personalize your site's experience with social connection, go deeper than Google and Facebook and think about what smaller platforms your users are on. If your users are all developers who are on GitHub every day, take note of that. If your users are in sales and marketing, have them log in through Salesforce. If they tend towards editorial and publishing, have them go through WordPress.

When Will Single Sign On Surpass Username and Password?

In 2015, using the data we collected, we projected growth estimates for Passwordless implementation in relation to traditional U/P. We predicted that Passwordless would overtake U/P in mid-2027:

Forecast username & password vs Passwordless

Using our data from 2016, we ran the same growth estimates for Passwordless implementation against U/P and came up with an even more surprising outcome.

At this point, we can see that Passwordless is projected to overtake U/P in mid-2020:

Forecast (U/P vs Passwordless

When looking at our first chart in this post, Passwordless seems like a small player. Among Auth0 users and our users' users, 67% of logins are still U/P.

But once we take into account the growing share of social connections, and how different platforms are positioning themselves within the social login space, we can see big shifts happening. And they're happening faster than we thought a year ago.

With so many other options available for authentication, including social, enterprise, and Passwordless, the number of people using U/P is likely to decrease significantly. As more users begin to understand U/P as the most inconvenient and least secure option, we could very well see its share drop below 50% in 2020. It's already down to 67%.

Looking to 2017 and Beyond

From 2015 to 2016 we saw the dominance of U/P slip even further. It still makes up about 67% of our users' logins, but that's changing fast. With social connections jumping up 2x and some interesting changes within that group, we could see SSO overtake U/P much faster than we're expecting right now.

In running this analysis of our 2016 data we found 16,972 logins with breached passwords being entered every month, on average. In April of this year, 4.42% of logins were with leaked credentials. On average, we added 40 million new leaked credentials to our database in 2016.

These numbers may seem startling, but they also illustrate why companies are moving away from U/P so rapidly. Safer, simpler options are available and the industry is having a lot of success nudging users towards social, enterprise, and finally Passwordless options like TouchID and Magic Links.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,sso ,password security ,authentication

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}