Only if it’s the only option.
I’ve noticed recently that a number of websites allow you to log in using another web service instead of directly from that webpage. For example, my son couldn’t remember his password at PhoneZoo, but it had an option to log in from his Facebook page. He pressed the button, logged into Facebook, and he was also logged into PhoneZoo.
Can you explain a little bit about what’s going on here and whether this means there is an increased security risk? If someone gets in his Facebook account, I would assume they could also get into his PhoneZoo account or any other website providing this access. Is this a trend, and is there any way to avoid it?
Rarely do I get to be this absolute: if it’s presented as an option, don’t use it. Log in with a traditional email or ID and password instead.
There are a variety of reasons, but the most important is simply basic security.
Become a Patron of Ask Leo! and go ad-free!
Should I log in with Facebook?
- Using a unique login ID and password for each service is much more secure.
- If you must use it, make sure your Facebook account is secured.
- The service does not get your Facebook password.
- Facebook gets information about every service where you use Log in with Facebook.
- Using the same account everywhere is even less secure than using the same password everywhere.
Log in with Facebook
Using services like Facebook to provide authentication is a popular trend. It’s not just Facebook: you can use your account with Google, Twitter, or other accounts to log in to many unrelated services. (Throughout this article, I’ll use Facebook as my example, but the same issues apply to using other services. I’ll also refer to all the services that you’re logging in to, like PhoneZoo in the original question, as third-party services.)
In most cases, it’s an option. You can log in traditionally by creating your own account, usually with email and password, or you can choose from one of the other authentication providers, like Facebook.
In some cases, it’s not an option. The third-party service has elected not to provide its own sign in and relies entirely on using other platforms to authenticate its users.
These third-party services want to make it as easy as possible for you to sign up with them. Not making you create yet another account and password to manage is one way to do so. It also means they don’t have to maintain their own authentication infrastructure.
They don’t get your Facebook password
A common concern is whether these third-party services get your Facebook login ID and password.
The short answer is:
- They usually get your ID (your email address, in the case of Facebook), which generally becomes your user ID on the third-party service.
- They do not get your Facebook password.
This practice uses an industry-standard protocol called OAuth, short for Open Authorization. You authenticate directly with Facebook, who then tells the third-party service that yes, you are who say you are by virtue of having successfully logged in to your Facebook account.
They may get additional information
When you set up your account with the third-party service and use Facebook to log in that first time, the service may request additional permissions. They may ask for additional information from your Facebook profile, such as contacts, permission to post to Facebook on your behalf, or more.
When this happens, you’ll be notified exactly what additional permissions and information you’re allowing to be shared, and you’ll be given the opportunity to either alter the permissions or abort the login completely. Be sure to read these carefully so as not to give more access than you’re comfortable with. Unfortunately, you typically can’t pick and choose which permissions to give — in my opinion, yet another reason to avoid Facebook-based logins.
Facebook gets information
When you use Facebook to log in to these third-party services, you’re telling Facebook which third-party services you use.
Given the concerns people already have about how much information Facebook collects, explicitly giving them even more seems a little counter-intuitive.
The same password everywhere is bad enough
Security experts and tech writers such as myself frequently advise against using the same password everywhere. If one account gets hacked and your password is exposed, then all your other accounts that use the same password are at much greater risk of getting hacked as well.
By using Facebook for authentication, you’re using the same account to sign in everywhere.
If your Facebook account is ever compromised, then every other account where you use Facebook for login is immediately compromised. Someone with access to your Facebook account can quickly and easily determine exactly which other accounts you have and access them.
Separate accounts are more secure
I heartily recommend setting up a unique login ID and password for each online service that requires you to sign in.
This limits the exposure of any one of them getting hacked to only that single service. It also removes the possibility of accidentally allowing them access to your Facebook account information for other purposes.
Yes, that means unique passwords for every site. The best way to manage that is to use a password manager, which allows you not only to manage all passwords without needing to remember them but enables you to use long, complex, safe passwords for each account.
If you’re not convinced and the appeal of using your Facebook login everywhere possible is just too compelling, then secure your Facebook account as best you can. At a minimum, that means using a long and strong password and adding two-factor authentication.
But I strongly recommend you use unique login IDs and passwords wherever possible instead.
I also recommend that you subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: It was for me.