Is It Safe to Log in with Facebook or Google?
Then you’ve probably come across this more than once when trying to sign in to a new site or service:
Some services also offer sign-in with Twitter, Linkedin, or Microsoft. Others don’t even allow sign-in with good old fashioned email or through a standalone account.
You may have thought Fine. You win, and accepted those terms, but stopped at the last second and wondered: Wait a minute. Is this even safe?
Well, it’s called Oauth (for open standard for authorization), and here’s how it works.
What happens when you sign in with Facebook or Google?
Let’s say you want to sign up to peopleeatingcupcakes.com, because you’ve got an insatiable need to see other people eating cupcakes…
Because why not? No judgement here.
In the regular way of doing things, peopleeatingcupcakes.com would request that you create an account with them. That would usually require you to create (yet another) username, and provide an email address to which they can send a confirmation message to — just to make sure you’re a real person and not some bot with cupcake-eating interests.
By using Facebook or Google to sign in, both you and the site skip that dance. Instead you rely on those services to vouch for you and manage your account.
The important bit is this: the new service never gets your password.
When you sign in, peopleeatingcupcakes.com sends you to Facebook or Google, and you sign in with them. Facebook or Google then send a token back to the site that essentially says “Yup, this person is who they say they are. Proceed.”
You’re then free to explore the wonderful world of cupcake-eating people.
What’s the catch?
Because of course there's a catch. This is Facebook and Google we’re talking about.
In most cases, the service you’re accessing will get access to some aspects of your accounts.
At the very least, they’ll get access to your Facebook public profile or your email address. But in some cases, they may get more than that, such as access to your contact list or the ability to post to your wall.
Facebook allows a certain level of granular control over what you share, and Google will likely follow suite. Just keep in mind that some services rely on that information, so refusing permission may break them.
Right. So is it safe?
In many ways, yeah. In fact, it’s a lot safer signing into other websites with Google or Facebook than it is creating a standalone account and password. Here’s why:
It’s one less password for you to mess up
Take it from us: security is hard.
Unless you’re using a password manager, the more passwords you create — and you should be creating unique passwords for every site you use — the more likely they are to be weak.
If one of these sites get hacked, the hackers will be able to piece together your patterns for creating passwords. Even worse, if you haven’t used unique passwords, now they basically have the key to all your accounts.
With Oauth, you can focus on making sure your password isn't weak — and then that will be the only password you would need to remember.
You’re relying on Facebook or Google’s security
Like I was just saying: security is hard.
Peopleeatingcupcakes.com may be a great website. But they probably don’t have the resources to invest in their security at same level as the Facebooks and Googles of the world.
Another way of looking at this is to ask yourself: do I trust this website to keep my information safe? Most likely you already trust Facebook and Google to do so more than some random small website.
In case of hacking, there’s very little lost
Remember, peopleeatingcupcakes.com doesn’t actually have your password. They don’t actually have anything but a token that allows them to confirm your identity with Google or Facebook. If they get hacked, there is no actual account for your information to be lost.
You can revoke access
Even if peopleeatingcupcakes.com gets hacked, or you’ve finally had your fill of cupcakes and want to leave it all behind, you can always just revoke their token and remove their access to your data. This will likely be miles ahead of the account management system used by the cupcake people; in many cases, these systems have no option to delete accounts.
You can use two-factor authentication
This is arguably the most important point: no matter how strong a password you create, it’s still not as good as adding a second method of verifying your identity. In most cases, this can be a simple time-based code sent to your phone via SMS or via an authenticating app like Authy, but there are other methods.
Most of the services that offer Oauth also offer two-factor authentication. If you haven't activated it yet, you should.
0 comments:
Post a Comment
Facebook has greatly reduced the distribution of our stories in our readers' newsfeeds and is instead promoting mainstream media sources. When you share to your friends, however, you greatly help distribute our content. Please take a moment and consider sharing this article with your friends and family. Thank you.