It’s not you, Facebook, it’s me.
That’s a very good question. I recommend not using Facebook, Google, or other third-part services to sign in to other sites, for both privacy, and security reasons. But, I know many have already done so.
A related question might be figuring out all the places you’ve done so, as it’s easy to do and just as easy to forget.
To begin with, yes, Google/Facebook has your information. But you can disconnect and stop contributing to this form of data collection while improving your overall security at the same time.
Become a Patron of Ask Leo! and go ad-free!
Undoing 'Sign in with Facebook'
Both Facebook and Google have pages where you can review the third-party sites, apps, and services you’ve used to authenticate with them. You can sever the connection. This will not remove data already collected but will prevent further accumulation using this method. For each disconnection, you’ll need to set up unique traditional email/password sign-ins.
Find out where
In many cases, it’s pretty obvious where you’ve used “sign in with Facebook” or its Google (or other) equivalent. Each time you go to those services, you’re prompted to sign in using them.
However, it’s also possible to set it up once because it’s quick and convenient, and then forget all about it because you’re never asked to sign in again. The sign-in is almost permanent.
Fortunately, it’s fairly easy to have Facebook or Google tell you where you’ve used this technique.1
- Facebook: https://www.facebook.com/settings?tab=applications&ref=settings
- Google: https://myaccount.google.com/connections
These links will open a page that lists where your Facebook or Google credentials have been used to sign in to some other service.
In the Facebook example above, you can see that not only current websites are listed, but you’ll also see those where the sign-in credentials have expired. My list was quite long.
Remove connections
Review the list of connections. Consider hitting “Remove” for all of them, but on the off chance there is one you want to keep, at least make it a conscious decision. (Sites do exist that have no sign-in function of their own and require you to use a third-party sign-in like Facebook’s.)
Interestingly enough, in my case I saw connections for sites where I don’t use Facebook to sign in. For one reason or another, I had given Facebook access (often to allow the site to post something to Facebook on my behalf). I removed them all.
Create a new, unique, sign in
This is where it gets dicey.
On each service where you previously used “sign in with Facebook”, try to sign in with your email address. Be sure to use the same email address you use for Facebook.
You may need to do a password reset or “I forgot my password” to set a password associated with your email address.
I’m assuming that in most cases your Facebook ID (which is your email address) is also used as your ID for this other service. In other words, you have an account associated with your email address, and you’re simply changing how you authenticate.
Here’s why it’s dicey: the service might not use your email address as an ID. Once you disconnect “sign in with Facebook”, the service will have no idea how to identify you. You may need to create a completely new account, this time using email/password authentication rather than Facebook.
You may want to see if you can do this before removing the connection to Facebook, or at least confirm that your account is identified by the same email address.
The big hammer
You might note this option near the bottom of Facebook’s “Apps and Websites” page.
Clicking “Turn off” will remove all the existing connections and prevent any new connections from being created. Facebook will, of course, warn you about what it considers dire consequences:
I present this option last because there could be at least one service where you’ll need or want to continue to use sign-in with Facebook. Turning that functionality off will disconnect all services completely.
Do this
Review your Facebook (and Google) connections to other websites, apps, and services. You may find there are more than you expect or remember. For each connection, decide whether it’s a relationship you’re comfortable with or that’s required. If not, consider removing it.
Something else to consider: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Presumably other “sign in with” providers have similar functionality.
speaking of FB sign in, what do you think of the option of signing into FB by clicking your profile pic? you won`t have to enter a password if you enable it. it seems to me anyone who knows your email address would be able to sign in with it.
It applies only to that specific machine, so, for example, I enable it at home, but not on my laptop when travelling.
I can understand the importance of protecting accounts when traveling. Since you use whole disk encryption on your laptop, is it still dangerous to allow one click login?
One-click as in Facebook? I think so. Securing my hard disk is a Windows thing which is tied to my Windows login which is assuredly not one-click.;-) Only caveat would be a computer left logged in and accessible to others, which is a bad idea for more reasons than just Facebook.
That’s exactly what I was thinking.
I use one of two email addresses I have for sign-in purposes when I create accounts. Which address I use depends on what the account is for. I have always avoided using the sign in with Google/Facebook/etc. options because I don’t want to give any of those services any more information about me than I already have to. When I set up an account, I am usually asked for my email address, and that address is used to confirm that that I have access to the address, and as my user name for the account, and that’s O.K. with me because it doesn’t give Google or MSFT (the providers of my email accounts) any extra information about me. There are two games I like to play, both of which asked me to sign in with Facebook to enable progress recovery in the event I have to re-install the app. I did so for both games, and for that I have no regrets. There has been more than one time I’ve used that capability after reinstalling the game(s)/re-installing Windows, etc. This is yet another case in which my natural caution has served to protect my privacy – again :).
Ernie (Oldster)
That’s odd! I just read an article (won’t mention the source), but I avoid Google/FB like the plaque. They have too many tracking techniques that scare the bee-geebies out of me! Of course, as said, they have your info. It’s the nuclear waste of DATA!