Is it better not to use Social Login?

by Unknown

How many times now you've had to register to a website and you were given the choice of using your social account? and every time you had to decide should you use it or not.
It is very common now that whenever you want to register/login to a website, you have a choice to use your Facebook, google, twitter and other social accounts.




Why should I use Social Login at all?

There are some people who never use their social accounts and there others who prefer it for the convenience it provides.
But common questions that a every person has while using such features are:

  • Is it Safe?
  • What happens to my privacy?
  • How much of my data will it collect?

Of course the benefits of using social login is not filling any forms and not having a new username and password to remember.

All the factors lead to a critical question: Is it better?

Why Social login is useful for the developer

To understand concerns related to social login, first let us study how normally things would be done if no social login was used.
When you register to a website with a username and password, this information is stored in their own servers i.e. your username and the password hash (not the actual password of course, but nobody is stopping them from doing so). Any of other personal information is also stored in this server.
Then it is up to the developer to take care of your data.
In case of a breach, all your data has the risk of being stolen.

Now as a developer of a website/webapp, the question that comes to my mind is
How do I securely store a user's data?

It requires proper knowledge and developer resources to create a secure system. But generally for small group of developers security may not be of top priority. On top of that the developers may be inexperienced to follow proper security guidelines. Such developers end up having a weak and uncertain security implemented in their site/app.

See Also

Threats to Your Online Safety You Need to Know About
More so, many times a developer just wants a simple registration system, just for authentication purposes but creating one on their own would require time and then create security issues (with hackers now trying to steal this data).

That raises a very concerning question for the developers, what happens if my server gets hacked?

The best way such developers can safeguard user data is to not manage it on their own.
If someone could store user data securely for them instead of them having it on their servers, you and them both could be less tensed about data theft.

Here is where social login comes very handy. A developer could implement a simple social login, if he just wants authentic users and not store any data. He will get the required data from the user, decrease spam and bots, and would not have to worry about user data being stolen.

This is the best scenario to use social login, a win-win situation, no loss for the user and the developer.
But not every one uses your social data in this way.

We will see how.

Website/app behaviour Permanent storing vs Temporary Access

Whenever you do give permissions to allow any website to look into your data, it can manage your data in different ways.
1. It can either read the data while your logged in and forget everything when you logout. Here your data from social network is not stored in the server, instead everything is read directly from the provider site.
2. Or it can store this data on their own servers, so when you logout, the site/app can still have your information.
Once you grant permissions to read your data, the site/app will read everything and build its own local database of your information. Now this is partially concerning.


Asking for more than required information

This I think is just bad in terms for privacy of a user.
A site sometimes asks for more personal information than it should. For just few days ago I tried using www.udemy.com facebook login. It wanted me to allow access to public profile, friend list, email address, birthday, work history, education history, interests, current city, personal description and likes and your friends' interests, personal description and likes.
Now asking for public profile and email is fine, but you not only need my interests but my friends as well? Why does it require such personal details? I do not think this much information is required to create an account.
I had to decide against using this. And registered in plain old manner, with just an email.

See Also

Track Your Lost Gadgets

Reading the Privacy Policy

It is best to read the privacy policy of the website you're going to give your data to. Some websites may
very well use your data to analyze you for marketing purposes. It may also sell this data to 3rd party. So be extremely carefull (I personally use WOT to find out a websites reputation)

SignUp using xyz vs SignIn using xyz

Some sites do not login you directly using your social account but instead creates a local account using your social data so again you'll have to login using new credentials and will have another password to remember (eg: hootsuite.com). This I find to be the most misused way of handling social login features. As a user I would provide my social info to avoid any kind of registration and logins, I really don't want to give any data to the site but for my convenience of hassle free login, I will. They on the other hand, just took my information then provide me with the same old method for login in. I gave them my data for nothing!


Untrustful website, what to do now?


Simply Don't do it!
You find a great new website or webapp, something new you want to try out. But you don't know if you can trust this site, it's not popular enough so it has no information if it is fake or not. How safe is social login going to be in such cases?
This actually should be simple, don't login using your social account! It's best that you create a separate account with different password whenever you cannot trust the website/app.

You can think that if you properly look at the permissions provided to the website/app, you can be certain that that less important data is at risk.
That's well and good until to encounter a malicious website. Let's understand what can happen then.

Click jacking and phishing

A simple trick used for a long time by the hackers is phishing. Phishing is simply creating a website lookalike with masked or similar looking urls so that the user may be tricked into believing that it is the real thing. He'll enter his real credentials and that's it. Say bye bye to your account.
A more complex use of phishing is done with Click jacking. Click jacking in simple terms would be hi-jacking your clicks i.e. whenever to try to click something, you'll end up clicking something else.
Image from www.scamsniper.info

Mostly Click jacking is done with an invisible element created on top of any clickable button or link. When you think you are clicking the button, you're actually clicking the invisible element. This can be potentially more harmful, as it may be possible to create such attacks on trustful sites which may then get you good.
You literally may have a malicious add-on installed on your web browser right now that would find legitimate links and buttons across webpages and setup to click jack you!


Tell us how much are you comfortable with using social login features on other websites? 

Then just enter your email address to get blog updates
Free content. Unsubscribe at any time. No spam.

Contribute :) Leave a Comment

Comments with Disqus
No comments: with Google+
Labels:

Written By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)