I’ve noticed recently that a number of websites allow you to log in using another web service instead of directly from that webpage. For example, my son couldn’t remember his password at PhoneZoo, but it had an option to log in from his Facebook page. He pressed the button, logged into Facebook and he was also logged into PhoneZoo.
Can you explain this a little bit about what’s going on here and whether this means there is an increased security risk? If someone gets in his Facebook account, I would assume they could also get into his PhoneZoo account or any other website providing this access. Is this a trend and is there any way to avoid it?
Rarely do I get to be this absolute: if it’s presented as an option, don’t use it. Log in with a traditional email or ID and password instead.
There are a variety of reasons, but the most important is simply basic security.
Become a Patron of Ask Leo! and go ad-free!
- Using Facebook or other online accounts to log in to unrelated services is a trend.
- The third-party service does not get your Facebook login ID or password.
- Facebook does get information about each third-party service where you use your Facebook login.
- Using the same account everywhere is less secure than using same password everywhere (which you also should not do).
- Using a unique login ID and password for each service is much more secure.
- If you must use it, make sure your Facebook account is secured.
Log in with Facebook
Using large services like Facebook to provide authentication is definitely a trend I’m seeing more and more. It’s not just Facebook: you can use your account with Google, Twitter, or some other accounts to log in at all sorts of random and unrelated services. (Throughout this article, I’ll use Facebook as my example, but the same issues apply to using other services like Google, Twitter, and others. I’ll also refer to all the services that you’re logging into, like PhoneZoo in the original question, as “third party” services.)
In most cases, it’s an option. You can log in traditionally by creating your own account, or you can choose from one of the other authentication providers, like Facebook.
In some rare cases, it’s not an option. The third-party service has elected not to provide its own sign in and relies entirely on using Facebook or other platforms to authenticate its users.
These third-party services want to make it as easy as possible for you to sign up with them. Not making you create yet another account and password to manage is one way they do so.
They don’t get your Facebook password
One common point of concern is whether these third-party services are getting your Facebook login ID and password.
The short answer is that yes, they may get your ID (your email address, in the case of a Facebook login), but they do not get your password.
This practice uses an industry standard protocol called OAuth, short for Open Authorization. You authenticate directly with Facebook, who then tells the third-party service that yes, you are who say you are, by virtue of having successfully logged in to your Facebook account.
They may get additional information
When you first set up your account with the third-party service and use Facebook to log in that first time, the service may request additional permissions. They may ask for additional information from your Facebook profile, such as contacts, or permission to post to Facebook on your behalf, or more.
When this happens, you’ll be notified exactly what additional permissions and information you’re allowing to be shared when you set up that login with the third-party service, and you’ll be given the opportunity to either alter the permissions given or abort the login completely. Be sure to read these carefully so as not to give more access than you’re comfortable with. Unfortunately you can’t pick-and-choose which permissions to give — it’s all-or-nothing — in my opinion yet another reason to avoid Facebook based logins.
Facebook gets information
One thing folks overlook is that when you use Facebook to log in to these third-party services, you’re telling Facebook which third-party services you use.
Given the concerns people already have about how much information Facebook collects, explicitly giving them even more seems a little counter-intuitive.
Same password everywhere is bad enough
Security experts and tech writers such as myself frequently advise against using the same password everywhere. If one account gets hacked and your password is exposed, then all your other accounts that use the same password are at much greater risk of getting hacked as well.
By using Facebook for authentication, you’re using the same account to sign in everywhere.
If your Facebook account is ever compromised, then every other account where you use Facebook for login is immediately compromised as well. Someone with access to your Facebook account can quickly and easily determine exactly which other accounts you have1 and access them.
Separate accounts are more secure
I heartily recommend setting up a unique login ID and password for each online service that requires signing in.
This limits the exposure of any one of them getting hacked to only that single service. It also removes the possibility of accidentally allowing them access to your Facebook account information for other purposes.
Yes, that means unique passwords for every site. The best way to manage that is to use a password manager like LastPass, which allows you not only to manage them all without needing to remember them, but enables you to use long, complex, safe passwords for each account.
If you must…
If you’re not convinced, and the appeal of using your Facebook login everywhere possible is just too compelling, then secure your Facebook account as much as you can. At a minimum, that means long and strong passwords, as well as adding two-factor authentication.
Remember, if that one account is hacked … all the accounts are hacked.
Personally, that’s not a risk I consider to be worth it.