For people like us that are often reluctant to fill long sign-up forms, signing on to a new app using Single Sign-On (SSO) tools like Facebook and Google offers a lifeline.
It’s insanely convenient and saves me the stress of setting up new accounts all the time, remembering dozens of passwords, typing login details, and resetting passwords.
But with time, I realized that these SSO tools are not the panacea I thought them to be.
Now raising an essential and often asked question, “should you sign on to a new app using your Facebook sign in?”
This article helps you to answer that question. But first, let’s examine how Facebook SSO works.
Let’s kick it off.
How Facebook Sign-On Works
Facebook provides a simplified authentication method that lets users sign on to third-party applications and websites using one set of credentials.
It does the heavy lifting behind the scene, enabling you to create accounts in a few mouse clicks.
And like other big tech companies like Google and Microsoft, Facebook uses OAuth to allow third-party applications to authenticate users. The protocol enables Facebook users to sign on to new apps with their private information while staying confidential.
But what happens under the table when signing on to the app with Facebook.
Let’s find out:
- When you click the “Sign Up with Facebook” button on a third-party website or application, it redirects you to Facebook.com. If you haven’t logged in, Facebook prompts you to sign in with your username and password.
- When you log in, Facebook displays a dialog box showing the information it’ll share with the website or app, and you can authorize Facebook to proceed with the authentication by clicking the “Continue” button. And you can edit the permission.
- When you click the button, Facebook redirects you to the website with an authentication code signifying that the user holds a valid account on the platform.
- But before allowing the website to access the user’s information, Facebook requires the website to show the unique code it acquired when it registered for Facebook’s OAuth to confirm the request is coming from a trusted source.
- If Facebook confirms it’s legitimate, it grants the website or app an access token, enabling it to sign up the user using the permitted information.
Creating an account with Facebook SSO sounds convenient, but it comes with several risks.
Continue reading to find out.
The Risks of Signing-On With Facebook
The access token allows Facebook to turn over private information to the website.
Some of the data they request includes your birthday, email address, and photos, allowing them to build a round profile about you. Some websites also access your friend’s list to collect information about your friends and what they do online.
Though you can edit the type of data, a third-party application can access from your Facebook profile, how many people often do this?
Not many people do this, from my experience.
It’s also possible for unscrupulous websites to sell your data or use it in ways you’ll not approve.
At least, I have seen one.
And besides these privacy concerns, signing on to apps with Facebook could also make you vulnerable to some risks, and here’s how.
Facebook Sign-On Could Compromise your Online Safety
Using Facebook to sign on to several websites creates a daisy chain (using one password for multiple accounts) that could make you vulnerable to hackers or identity theft.
The reason is that the least secured account provides a weak link or an entry point for attackers to get into the chain. The scary thing is breaching any accounts could compromise other accounts that use the same password.
Now imagine if you signed on to an app that holds your credit card details.
Also, it’s not uncommon for people to lose their Facebook passwords. You might accidentally give it to someone without knowing or lose it through a targeted phishing attack, leaving all your connected accounts vulnerable.
What most of the criminals do when they get hold of your account is to open your Facebook Setting’s Apps and Websites, review your connected accounts, sign in and do things you might not like.
Losing Facebook Access is the End of the Road
Facebook makes signing in to your accounts seamless, but have you ever wondered what happens if you lose access to your Facebook account?
Of course, that’s the end of the road—you’ll lose access to all connected accounts, and you can’t do anything about it.
For me, it’s a considerable risk, and it’s not worth it.
Let’s even assume you’re meticulous in protecting your Facebook credential, but what if Facebook decides to remove your service provider (the app or website) from its OAuth service?
Of course, you’ll permanently lose access to the account and other users too.
The Risks Aren’t Just Hypothetical
These risks aren’t just hypothetical—there are several real-life examples. So, let’s torchlight a few of them.
Facebook announced a massive data breach that allowed hackers to access over 50 million Facebook users’ accounts a few years back.
The hackers also gained access to the other accounts users logged into using Facebook, up to over 100,000 connected accounts, including Instagram, Expedia, The New York Times, Airbnb, Tinder, and Pinterest.
Though Facebook invalidated the access tokens as soon as it detected the breach, the incident underscored how vulnerable creating new accounts with Facebook SSO makes you.
Twitter, Yahoo, Microsoft, and Linkedin also got hacked, reinforcing their vulnerabilities.
Beyond these hacks, SSO users face additional risks.
Last year Apple threatened to revoke Epic’s “Sign In With Apple” capabilities over in-game purchasing disputes. Going ahead with the threat would have caused Epic users to lose their access permanently.
In the end, Apple and Epic resolved their disputes, but the incident also laid bare the risks of managing account access with third-party applications.
But how do you create accounts conveniently without being vulnerable to these risks?
Let’s find out below.
Signing Up Securely on the Web
The near-constant rate of online threats has made staying safe online more critical than ever.
A study found that a hack attack typically occurs every 39 seconds, affecting one in three Americans yearly. Unfortunately, daisy-chaining passwords or using non-secure login credentials give the attackers more chances of success.
But these tips could help safeguard your online identity.
- Only use social login on websites you’re comfortable sharing data with.
- Avoid using social profiles to sign up on platforms that contain sensitive information like financial details—manually creating the account is the safest bet.
- Use two-factor authentication to provide an additional layer of security on Facebook.
- Use password managers like Dashlane to autofill sign-up forms with personal information, generate strong passwords, and auto-login securely to accounts.
Taking a Stand: Security vs. Convenience
Facebook makes it convenient to create and log in to accounts, but it could expose you to risks.
So the question of whether you should sign on to a new app using Facebook depends on what you want—Security or convenience.
But for me, it’s security, so I am not signing on to any app using Facebook.
Of course, unless it’s an app on the Facebook ecosystem like Instagram or any third-party service that integrates with the platform.