Manually creating accounts is a pain: we just want to access an app’s services, not spend five minutes setting up emails, passwords, and basic information. That’s why the “Log in with Facebook” and “Log in with Google” buttons have become so common across the Internet.
Users love this federated login technique because it makes creating accounts much easier, and websites/apps love it because they can get way more users to sign up for accounts. Since you can create accounts using Google, Facebook, Twitter, Microsoft, LinkedIn, Github, WeChat, VKontakte, Weibo, and more, chances are you’ve used one of these services, but also briefly wondered if it’s a good idea. You’re right to wonder: yes, it’s convenient, but there are trade-offs when it comes to security, and it’s essentially a one-way street as far as privacy goes.
How do social logins work?
Not every system works the same, but the basic process is fairly universal. Most third-party login services use some combination of the OpenID and OAuth protocols. OpenID deals with authorizing users (logging into Facebook confirms your identity to the site you’re trying to use), while OAuth governs how other sites can access your data (name, age, interests, friends, etc.).
There are three main players involved in a social login process:
- The User (that’s you!) requesting access to an app or site
- The App or site that the user wants to access
- The Authorizer that confirms your identity and controls access to your data (Facebook, Google, etc.)
A typical social login happens like this:
- The User hits the “Log in with ____” button.
- The App opens a link asking the User to log in to the Authorizer’s site. The link contains information telling the Authorizer which site is making the request.
- The User enters their username and password into the Authorizer’s site, meaning the App never sees your information.
- The Authorizer generates a one-time-use code and sends it to the App.
- The App then sends this code to the Authorizer with a request for access to the Authorizer’s API.
- The Authorizer validates the code and issues the App a token (usually with a time limit) that allows the App to ask the Authorizer for certain user information.
Security Pro: social logins can be more secure than email-password logins
Social logins are as secure as the companies that are managing them, which, given that they’re some of the biggest tech companies in the world, puts them in the “pretty good” category. You don’t see Facebook and Google getting hacked left and right, mostly because they care a lot about their cybersecurity and invest way more in it than your average retail chain.
If you use a federated login, the site you’re creating an account with never actually gets access to your username and password, meaning no one can steal your account (though they might get some associated information).
You also aren’t entering your passwords all over the place, and given that we tend to reuse our passwords fairly often, this is a good thing. We’re probably not following best password practices anyway, so the less we spread our bad security around, the better.
Security Con: if your social login goes down, so do your accounts
So what if Facebook and Google do get hacked, or someone just manages to get into your account? Both companies have had data issues in the past (Cambridge Analytica, Google+), and LinkedIn was straight-up hacked, so big tech doesn’t really have a 100% track record here.
Could someone with your social media login just pretend they’re you on every app and site that you used social media to log into then? Basically, yes. Whether it’s a system-wide security breach, a weak password, or malware on your computer just waiting for you to sign on to Facebook, anyone with your login credentials can impersonate you on another app. This makes social logins a single point of failure, creating a possible domino effect if your authorizing account is breached.
This means that a lot is riding on our social media accounts staying secure. Facebook, Google, and Twitter are working hard to do that, but even if they hold up their end, there’s only so much they can do if your password is 123456789 (check out these tips for a strong password) and you keep your account logged in on shared or physically-accessible devices. If you use a social login, you should treat it like the key to whatever accounts it can access.
This will be a short section because there really are no privacy benefits to users. Social logins won’t just firehose your data over to whoever asks for it, which is the minimum you’d expect, but you’ll pretty much always be giving up a lot more personal info than you would if you just used an email/password combo.
Privacy cons: everyone learns more about you
Depending on which service you’re using, you have more or less control over what data apps are allowed to pull from your social profiles. It’s easy to give out more than you intend, though, and apps can ask for whatever they want in the knowledge that most users will probably default to “Yes.” Your friends, location, post history, interests, and other pieces of personal information could easily be scraped up without you being completely aware.
On the other end, remember that most of the companies providing you with login services are very interested in collecting more data about you. They’d love to know what apps you’re using, how often you use them, and even more granular information about what you do in them, and using them to log in is essentially giving that information directly to them. Exactly how much data Facebook and Google get from apps that use their login services isn’t clear, but if you’re not comfortable with a company potentially knowing a lot about what you’re doing in an app, it’s best not to link your account to that company.
So should I be using social logins?
Social logins can be more secure in many cases, especially if you’re careful to keep your main accounts locked down pretty tight, and you’re not sure whether an app or site has the best cybersecurity. It’s actually safer to log into a sketchy app or site with a social login, since you won’t be giving up the password you probably reuse across several sites. Nonetheless, if you’re creating an account containing potentially sensitive information on a well-secured service, a strong email/password combo is your best bet.
As for privacy, it’s a personal decision. If you don’t want the app to know more about you than it needs to, don’t log in with Facebook. This holds equally going in the other direction: don’t use a third-party authorizer unless you’re comfortable with that third party gathering some extra data on you.