Why you need to remember that the easiest entry point to an app may have other problems…
Easy, convenient and quick – three reasons why, almost certainly, you’ve been happy to use what are called “social logins” in the past. Also known as social sign-on, this is when an app or website embeds a widget where you can login using details from another account – such as Facebook, Twitter, Google+ and LinkedIn. Not only does it save you the bother of coming up with a new username and password, many users also believe they get more personalized, relevant content and offers.
And we’re doing it more and more: according to a report last year by consumer platform Gigya, 77% of U.S. consumers and 60% of U.K. consumers have used social logins – a considerable jump from 2012, when just 53% of U.S. consumers used them. Most apps on both iOS and Android now offer the facility as standard – as do many forums, comment boards and news media.
But this trend has issues, as several observers have pointed out – so be sure you’re aware of the consequences next time you tap in your Facebook details…
- Less passwords means less security
As more apps and websites offer the social login system for convenience, you could be relying on just one solitary password to control access to huge swathes of your data. Convenient perhaps, but far less secure – with increasingly elaborate phishing attacks every day, nobody is foolproof. Especially as, more than likely, you’ll be using your Facebook login details. A survey of more than 300,000 sites and apps by Gigya revealed that 64% of users – nearly two-thirds – use Facebook to authenticate their identities on web sites and mobile apps. And it’s not like there are dozens of other options: Google+ boasts a 21% share, Twitter has 6% and Yahoo has 5%. The bottom line is: if your “main” login details are compromised, hackers could access most of the apps and websites you use. The only way to be safe is to come up with separate usernames and passwords for each login. Or, of course, get a password manager to do it for you…
- You rely on other people’s security
At least the likes of Facebook, Twitter and so on employ state-of-the-art security systems and full-time security teams to try to ensure your logins are safe. But can you be sure that the website or app that you’re typing your details into is just as secure? Perhaps not: last December, IBM X-Force’s Application Security Research Team showed how hackers could easily access user accounts on a third party website by abusing the social login mechanism. In this case, it allowed an attacker to intrude into a Slashdot.org user account by using the “Sign In With LinkedIn” service. While the problem was quickly remedied, this could have allowed access to sensitive data. Remember: social login buttons delegate control of your users’ credentials to another service, rather than ensuring security yourself with separate logins for each website.
- Can you remember what social login you used?
Every day you use dozens of apps, and visit dozens of websites, on your mobile devices and desktops, many of which use these social login buttons. Sometimes you log in with Twitter, sometimes with Facebook, sometimes with a username and password specific to that app. But as email provider MailChimp point out: can you remember which? At least individual passwords can be handled by a password manager like Dashlane – but otherwise, social logins add extra “decision points” for users that can mean scrabbling around trying to find which one you first used.
- All your eggs in one basket
If you’re using Twitter and Facebook for signup you’ve got another problem as well. Your user credentials are then forever entwined with another account on another service that could be cancelled at any time – something which could break your access to your app without you knowing. As the New York Times best-selling author, Baratunde Thurston, points out, “If I never used Twitter again, I’d still be a Twitter user, because the company is like the school janitor with a fat ring of jangling keys to various doors in my online life.”
- Who has access to your data, exactly?
Social logins also add to the fog surrounding who, exactly, can access key biographical details that your social accounts contain. After all, how many of us for example read the permissions that Android or iOS apps request before you install them? A spotlight was thrown on the issue a while back when popular free Android app Brightest Flashlight turned out to be selling location data and device ID information to third party advertisers. Remember: using a Password Manager allows you to quickly generate random passwords which you will never need to remember – and also saves you sharing all your details with other third parties.