Enterprise-grade authentication remains an Achilles heel of the social media world, but security is improving in other areas, according to a report by access management provider Cerby. Credit: 1 Facebook is the most secure social networking site among the major players, thanks to improved privacy controls and support for more secure two-factor authentication technology, but the social media sector as a whole remains vulnerable to different types of account takeover. According to a study released Tuesday by access management vendor Cerby, the biggest area of concern common to the five platforms it studied — Twitter, Facebook, Instagram, TikTok and YouTube — was poor support for enterprise-grade authentication and authorization technology. Cerby said that support for cross-environment authorization technology like Simple Cloud Identity Management (SCIM) and Security Assertion Markup Language (SAML) would go a long way toward securing social media networks more effectively. “Without these standards, political figures and businesses are vulnerable to several security risks, including credential reuse attacks,” the report said in part. “The unchanged nature of these scores from 2022 to 2023 highlights a misalignment concerning enterprise-grade security controls within these platforms.” The news was brighter for other types of security controls. Facebook, YouTube and Twitter all support the FIDO2 framework, an open standard that uses authenticators like smartphone or hardware security keys to provide two-factor authentication — an improvement over time-sensitive passcodes sent via SMS. Access privilege management was generally strong across the social networks studied by Cerby, with no company rating lower than three out of five. (The report uses a six-point scale to rate the social platforms across six different criteria, with a zero meaning no support and no roadmap for incorporating a particular feature, and five indicating full, mature support.) Ahead of major elections in the US and EU, the broadly positive outlook for social media security shouldn’t distract organizational users and the platforms themselves from making continual improvements. “The significant need for progress in enterprise-grade authentication and authorization across social platforms remains challenging,” the report said. “These platforms broadly fall into the nonstandard application category, needing more support for common security standards like SAML and SCIM, leaving politicians and businesses adrift in turbulent waters with minimal oversight from IT and security teams.” Cerby offered three major pieces of guidance for political leaders and businesses looking to employ social media in the safest way possible. First, password managers integrated with corporate identity providers should be used to minimize the dangers posed by reused or weak passwords. Second, the strongest possible two-factor authentication methods should be used — the company suggested hardware-based security keys like YubiKey. Finally, integrating social media platforms with existing SSO platforms like Azure Active Directory or Okta can help centralize management of credentials and access tokens. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe