What’s Social Sign-in and Is It Risky?
Facebook does it. Google does it a lot. Even Apple and Amazon want to get into this act, so why have some retailers backed away from a login system known as Social Sign-In? What is this practice, and what are the dangers? Learn about the risks before you compound the data risks in your digital world.
Social sign-in (or sign-on) is the practice of accessing new websites or making purchases without a password at the business you'd like to use. Example: You want to shop at Macy's or L.L.Bean but don't want to bother with their unique registration. Instead, you press a "Connect with Facebook" or "Login with Google" button. The business then contacts the selected social site and gets authentication data for you. Google, Facebook, Amazon, Apple, and others serve as identity authenticators for you. Easy, right? Fast, too, but how much data of yours is shared, and how safe is it? Those are questions that need answers before you push that button.
Arguments For It
Friction. One single word encompasses all the frustration a user feels when asked to create a new login on a new website. However, a smoother process dramatically boosts the odds that a user will engage on the new site. That yields more conversions or purchases, which is good news for any business.
Password fatigue is another factor pushing the social sign-in concept. So is the quest for a seamless web experience. Not surprisingly, social sign-in is mighty popular with digital natives—those who grew up with the internet. Those under 25 are over three times more likely to use social sign-in than those over 50, for example.
Who dreamed up this feature? The social giants favor it for multiple reasons. They can capture more user data, gleaning details of your internet traffic to use as they wish. New third-party websites increase their odds of capturing you as a customer. Also, the social giants generally have more robust security than Mom and Pop retailers do—at least in theory. It's a win-win. For the businesses, at least.
Studies have found that this method of sign-in also boosts social sharing regarding purchases. That translates into even more conversions since over 80% of all social media users state they'd consider buying a product that a member of their social circle recommended. Those percentages are a marketing expert's dream.
The Arguments Against
Yes, this shortcut is convenient. You can shave seconds off your login—maybe even 60 of them—if you opt for a service like Apple sign-in. Yet, there are genuine risks. Each social sign-in adds to a web of connectivity that all ties into one main failure point.
Third-party sites receive some of your Facebook data to grant access, but there's little reason to believe this slice of your Facebook data will be more protected than other Facebook data.
What happens if the social giant experiences another significant data breach? Unfortunately, Facebook is no stranger to those; its most recent whopper to make headlines last April compromised 500 million user phone numbers.
Here's the screen you'd see when deleting the login connection between Facebook and Trip Advisor, a popular travel website:
"This will remove all your connections between Facebook and TripAdvisor, which include: Logged in with Facebook. Once removed, TripAdvisor will no longer be able to access the non-public information you previously shared with it but may still have what it received when the connection was active."
Yikes! There's no other way to read it; your information can be compromised in a data breach at either entity, although your password remains with the authorizer. If your social sign-in credentials are compromised, they could unlock numerous websites through a credential stuffing attack.
There is a way to limit connection at some social sites. It's part of Facebook's Apps and Websites menu; find it on the left-hand column of the Settings page. The situation is similar over at Google. User data is likely retained by third-party websites even if you shun "Join with Google" buttons from here forward.
Some experts believe Apple's sign-in system announced in 2019 will be more secure than other alternatives. Users can employ the company's biometrics of face or fingerprint to log in.
It's wise to weigh the pros and cons of social sign-in versus signing up for third-party websites independently. Juggling a bundle of username/password credential pairs is cumbersome. That makes social sign-in attractive, but this stroll through the world of social sign-in might still make you squirm.
Password managers like 1password or Dashlane are an alternative. These store individual web logins and can auto-fill forms for you. Most managers will generate unique passcodes too. Once you establish the accounts, all you'll memorize is a single passcode.
Check your usage of social sign-in. So many websites offer connections using an identity authorizer like Google or Amazon. It's so smooth. You may have authorized this action in the past and forgotten. Check the authenticator's settings page to see how many you've joined.
Activate multifactor authorization (MFA) or double factor (2FA) to add extra protection. Google research indicates that MFA or 2FA can shut down over 90% of phishing attempts. Microsoft estimates the effectiveness rate to be even higher. Yes, it adds a bit of friction, but it's more secure than answering a handful of security prompts.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.