Been online lately?
Then you’ve probably come across this more than once when trying to sign in to a new site or service:
Some services also offer sign-in with Twitter, Linkedin, or Microsoft. Others don’t even allow sign-in with good old fashioned email or through a standalone account.
You may have thought Fine. You win, and accepted those terms, but stopped at the last second and wondered: Wait a minute. Is this even safe?
Well, it’s called Oauth (for open standard for authorization), and here’s how it works.
What happens when you sign in with Facebook or Google?
Let’s say you want to sign up to peopleeatingcupcakes.com, because you’ve got an insatiable need to see other people eating cupcakes…
Because why not? No judgement here.
In the regular way of doing things, peopleeatingcupcakes.com would request that you create an account with them. That would usually require you to create (yet another) username, and provide an email address to which they can send a confirmation message to — just to make sure you’re a real person and not some bot with cupcake-eating interests.
By using Facebook or Google to sign in, both you and the site skip that dance. Instead you rely on those services to vouch for you and manage your account.
The important bit is this: the new service never gets your password.
When you sign in, peopleeatingcupcakes.com sends you to Facebook or Google, and you sign in with them. Facebook or Google then send a token back to the site that essentially says “Yup, this person is who they say they are. Proceed.”
You’re then free to explore the wonderful world of cupcake-eating people.
What’s the catch?
Because of course there's a catch. This is Facebook and Google we’re talking about.
In most cases, the service you’re accessing will get access to some aspects of your accounts.
At the very least, they’ll get access to your Facebook public profile or your email address. But in some cases, they may get more than that, such as access to your contact list or the ability to post to your wall.
Facebook allows a certain level of granular control over what you share, and Google will likely follow suite. Just keep in mind that some services rely on that information, so refusing permission may break them.
Right. So is it safe?
In many ways, yeah. In fact, it’s a lot safer signing into other websites with Google or Facebook than it is creating a standalone account and password. Here’s why:
- It’s one less password for you to mess up
Take it from us: security is hard.
Unless you’re using a password manager, the more passwords you create — and you should be creating unique passwords for every site you use — the more likely they are to be weak.
If one of these sites get hacked, the hackers will be able to piece together your patterns for creating passwords. Even worse, if you haven’t used unique passwords, now they basically have the key to all your accounts.
With Oauth, you can focus on making sure your password isn't weak— and then that will be the only password you would need to remember.
- You’re relying on Facebook or Google’s security
Like I was just saying: security is hard.
Peopleeatingcupcakes.com may be a great website. But they probably don’t have the resources to invest in their security at same level as the Facebooks and Googles of the world.
Another way of looking at this is to ask yourself: do I trust this website to keep my information safe? Most likely you already trust Facebook and Google to do so more than some random small website.
- In case of hacking, there’s very little lost
Remember, peopleeatingcupcakes.com doesn’t actually have your password. They don’t actually have anything but a token that allows them to confirm your identity with Google or Facebook. If they get hacked, there is no actual account for your information to be lost.
- You can revoke access
Even if peopleeatingcupcakes.com gets hacked, or you’ve finally had your fill of cupcakes and want to leave it all behind, you can always just revoke their token and remove their access to your data. This will likely be miles ahead of the account management system used by the cupcake people; in many cases, these systems have no option to delete accounts.
- You can use two-factor authentication
This is arguably the most important point: no matter how strong a password you create, it’s still not as good as adding a second method of verifying your identity. In most cases, this can be a simple time-based code sent to your phone via SMS or via an authenticating app like Authy, but there are other methods.
Most of the services taht offer Oauth also offer two-factor authentication. If you haven't activated it yet, you should.
Most of the services that offer Oauth also offer two-factor authentication. If you haven’t activated it yet, you should.
The basket problem
But, I hear you say, what if Facebook or Google get hacked? Isn’t it just putting all your eggs in one basket?
Well, to a degree, yes it is. That’s why you need to make sure you’ve got a strong password and two-factor authentication set up for those accounts.
But think about it: if you’re relying on an email account to manage all these separate accounts and that gets hacked, it’s basically same story, different basket. The hacker can use your email to reset all your passwords across all your services.
In this sense, Facebook might be a little more secure, since your Facebook account usually doesn’t double as an email account. But there are ways of mitigating email breaches, regardless of the service.
What about relying on a password manager instead?
There’s certainly a lot of good to be said about password managers.
But in this case, relying on a password manager to create multiple, strong, and unique passwords for each site does not equal better security than the Oauth logins provided by Google or Facebook.
For starters, you’re still relying on that small peopleeatingcupcakes.com service’s security to keep that unique password and your account there safe from a breach. If they’re not up to snuff, you’ll need to change that password, and you’ll only do that if you hear about the breach.
Meantime? You’ve been hacked and someone is playing with your account and data.
Again, two-Factor authentication can make that a non-issue. And the best password managers now support it. If yours doesn’t, consider getting a new one.
Second, you’re still just playing with a different basket: this time, your password manager. Whether that manager is more secure than Google or Facebook’s security is debatable, but there’s no denying a breach in the manager means the bad guys have access to all your accounts.
And password managers are not immune to hacking.
Enough already: should I use it, or not?
So long as you’re using a strong password and have set up two-factor authentication for your Facebook or Google account, then go for it. It will be safer than most alternatives.