Social login is a form of single sign-on, where users are allowed to log into an application or website using one of their existing social media account credentials. A social login, therefore, eliminates the need for users to register on yet another online platform – saving them the need to remember yet another set of credentials.
If you are a business, you may have noticed that a social login option on your online platform has had a positive effect on the number of registrations you receive. If you are an individual user, you may have found the option to either “Sign up” or “Login with Facebook/Google” and felt relieved that you were able to access the platform in just a few seconds by choosing the latter. But have you ever thought of how secure this method of login really is?
Let us look at the various aspects that affect the security of social login.
Social networks invest more on security
Social login is, by and large, considered to be a secure login method. This is because social media platforms including Google and Facebook are huge, powerful corporations in the online world with more potential than the original business (to whose website/application you are logging into) to set up strong security measures.
One compromised credential = multiple compromised accounts
On the other hand, if a hacker does manage to crack the social account – either due to a weak password or through a brute-force attack, this puts not only a user’s social media profile under threat but all of the applications and websites in which the user has used a social login option. The problem is only made worse with advanced threats like credential stuffing.
Similarly, if an individual’s phone is stolen and unlocked, with a Facebook or Google account that is still logged in, more than just one account is again compromised.
Third-party tracking scripts continue to threaten
Research conducted by Princeton’s Center for Information Technology Policy revealed that, when you log in to a website or application using social login, a third party might be able to place tracking scripts on the website or application. These tracking scripts have the ability to steal information that you have shared with the website or application during the social login – and sometimes even more than just that!
Although Facebook has announced, post publication of this study, that it would address this loophole in their universal login API, experts say that the issue may be deeper and more complicated than that. It is a harsh reality that a number of companies today create software and tracking tools that can be used to scoop, steal and sell information from such platforms.
So, what is the solution?
While the ease and convenience of social login is undeniable, it is also becoming increasingly difficult to ignore the potential threats of using such a feature. The next time you are thinking about a social login, keep these points in mind:
- Enable multi-factor authentication and risk-based adaptive authentication features that are provided by your social media network. A number of social network providers have set up these built-in security enhancement features, but they may not be enabled by default. Make sure to check your account/privacy settings and make the appropriate changes. This way, an additional layer of security will back you up even in case that your username/password are compromised.
- Check what permissions are being asked of you by the website or application that you are registering to using a social login. There will be a request to access your name, public profile and a few other details sometimes. Provide only information that you think is relevant to the site and deny all others. It might also help if you go back to your social media account and check what all is part of your public profile, and change those settings in order to limit the information you are allowing someone else to access.
- Use the social login feature selectively. If you are wary of a website or application, or if you are sure you will not be using it too ofteis n (and hence will not need a quick login method), then avoid logging in to them using your social media credentials. We suggest creating an email ID only for such occasional-use sign ups and using that to register instead.
If you are a business offering social login, you could offer your users with more security by integrating your application or service with an identity and access management solution (IAM) like Akku which comes with advanced features like multi-factor authentication, location-based restrictions, and suspicious login prevention. We also recommend that you speak to a cloud specialist on other cloud security measures that you can implement.