Signing in with Facebook and Google+ – how secure is it?
Since you have made your way to this post, you already know about signing into different areas of the web using your Facebook, Google+ or any other account. Some places also allow sign in using Twitter, Microsoft, LinkedIn or others. Some even do not even offer to sign in with email accounts anymore. They just allow signing in through the social account.
You may have thought to yourself that it’s fine. You simply accepted the terms and then moved on. But wait, is it safe?
This is called Oauth or Open Authentication and here is how it works.
So, what happens when you sign in using Facebook?
Let’s say that you want to sign into something.com using Facebook. So, you go to something.com and you want to make an account there. To store data for your profile, the website will need to have a unique identifier for you. Usually, this is your email address or username that you use to sign up.
When you use something such as Facebook or Google+, the website does not receive any username or password from you. Instead, it receives a token from Facebook or Google or any service you are using to sign up. That token is then used to create your profile. What happens is that Facebook says something.com that you are who you say you are.
This makes authentication easier for something.com.
Okay, now that something.com has a token for your profile, it can finally make that profile and allow you to access it as long as you use that same Facebook or Google+ profile. However, along with the token, these websites generally also take your public profile.
A public profile is all the details that you have set to be publicly visible. This generally includes your name and username. Both Facebook and Google provide granular controls over what details you want to be set publicly visible.
So how safe is it?
- Less to remember: With OAuth logins, you have to remember fewer passwords. The more passwords you create mentally, the weaker the passwords are. Moreover, using the same password everywhere can cause massive disasters. If one site gets hacked, the hacker can use the same password everywhere else. With OAuth, you make sure that you don’t even use a password in the first place.
- You’re Relying on Trusted Sources: When it comes to OAuth, you are relying on Facebook and Google to provide you with the security and not on something.com. So, even if something.com gets hacked, they will only get access to your token, which is useless everywhere else other than something.com. Therefore, very little is lost in case the site gets hacked.
- You can revoke access: The neat thing about tokens is that you can revoke access anytime you want. Google and Facebook both allow removing accounts.
- Two-factor authentications: This is arguably the most important point: no matter how strong a password you create, it’s still not as good as adding a second method of verifying your identity. In most cases, this can be a simple time-based code sent to your phone via SMS or via an authenticating app like Authy, but there are other methods.
Most of the services that offer Oauth also offer two-factor authentication. If you haven’t activated it yet, you should.
The Basket Problem
When you are signing in to so many accounts using Facebook or Google or anything else, you are basically putting all your eggs in one basket. Doesn’t that mean if Facebook gets hacked, all your accounts will be hacked too?
Technically, it is true. But Facebook being hacked is highly unlikely. Password theft, on the other hand, is more likely. Also, losing your Google password means losing access to email and Facebook primarily uses email as a recovery service. So, Facebook is slightly more secure than Google.
However, as long as you are careful and you use a strong password for Facebook or Google, you should be fine.
What about password managers?
So long as you’re using a strong password and have set up two-factor authentication for your Facebook or Google account, then go for it. It will be safer than most alternatives. However, using password managers are better in some ways.
Password managers are not immune to hacking, but all your accounts will be in more isolation and not tied up to one single OAuth service. Password managers provide more granularity.
Still, nothing is better than being able to remember strong separate passwords. A small notebook that you can store secretly can help you remember passwords. Then again, unless you are in charge of some top secret government project, Facebook sign-ins are good enough for most, and obviously more secure as long as you keep your public profile and your sign-ins in check.