How Secure is Social Login?
Social login gives application users the ability to apply existing login information from their social media accounts to register and sign into third-party sites. But before we jump into the topic of whether social login is secure or not, let’s answer the question below.
Do users really want social login? (Spoiler alert: Yes!)
From a user’s point of view, social login offers the benefit of simple, efficient access. Instead of registering for yet another online service, they can simply utilize an existing social media account. This means one fewer username and password to manage—an appealing option in a world where the average business user has 191 passwords.
In a recent survey, 86% of users indicated that they are bothered by the need to create new accounts on websites and 77% said that said that social login is a good solution that should be offered by any site.
From a developer’s perspective, giving users the option to utilize their Facebook, Twitter, or Google accounts to register and gain access to an online application increases the hit rates of their sites—an enticing option for developers who need to provide an authentication service for their solution. Instead of developing a fully-fledged identity verification service, developers can leverage third-party social login, which then handles all their application’s authentication requirements. In addition to saving development time, social logins also take the hassle out of managing the entire authentication service. Everything from registration to user and password management is taken care of, and the application owner is also not burdened with securing the personal profile information of their user base.
Social logins are not only seen to be more secure (after all, having a global giant like Google or Microsoft managing authentication is far better than managing this service on your own), they also have the added benefit of simplifying the user authentication experience. Users only need to remember a single username and password to log in to multiple services; this is further enhanced by the ability of modern browsers to cache login credentials. These cached credentials then provide a seamless sign-on experience to applications when users visit a site that accepts these social login authentication services.
Bigger is better — well, yes and no
As social login platforms such as Facebook and Twitter provide authentication services for millions of users, the security investments they deploy to protect their authentication services far outweigh any security investment a standalone organization or application developer could make on their own.
Not only do they have a responsibility to the millions of users who trust them with their personal information, their reputations as global technology service providers are at stake. A breach could compromise their own user data, along with every service that has opted to use their authentication service.
Although social logins provide heightened security and improved user and developer experiences, there are a few risks and issues which need to be addressed. Most users do not realize that a security breach in these organizations would have far-reaching consequences, hence it’s important to realize that access through social logins cannot be taken for granted.
Is social login the right choice for all apps?
There is no doubt that social logins offer benefits to both users and developers. However, application providers must be careful when opting to use these services for their platforms.
Using social logins essentially means outsourcing the entire user profile management service to a third party. This complicates the ownership and control of user data. In some instances, it may be well within the application’s overall strategy, but in others, there may be a real business need to keep user data in house (e.g., business analytics).
It is important to remember that once an application provider decides to self-manage user profiles, they are responsible for securing that user data. With privacy legislation like the EU’s GDPR, which specifically aims to protect personal information stored by online applications, the responsibility that comes with storing user data can become quite onerous.
Social login is not a “one size fits all” authentication solution. Application developers considering utilizing social logins must decide how they want to handle data ownership before deciding to use these services.
Securing social login
Per the Verizon Data Breach report, 81% of breaches had a root cause of weak or compromised passwords. In a similar incident, the Deloitte breach was apparently related to the compromise of all administrator accounts. Those who decide to use social login authentication for their application should recognize that the application is essentially only as secure as the platform providing the service. Having stronger passwords is one thing, yet in a credential breach, passwords (both weak and strong) can be universally compromised.
Is there a way out?
Let’s consider a scenario where a data breach has compromised your Facebook credentials. In this case, securing your strong password with Multi-Factor Authentication (MFA) would be the best way out. If you had MFA enabled for your Facebook account, the hackers could have your password, but they would not have access to your Facebook profile. They would also not be able to use the stolen credentials on web applications that have used Facebook for social login. Without the other MFA approval (e.g., Okta Verify, the hackers simply wouldn't be able to access your private accounts.
The major social login service providers do offer enhanced security features like multi-factor authentication and alerting when users login from an unknown device and location. However, many of these options are not enabled by default, which essentially means your application may only be protected by a single username and password. With password reuse being a widespread phenomenon and security breaches being reported on a daily basis, this places your application at risk from sophisticated password attacks such as credential stuffing.
Okta’s cloud-based identity platform provides social login support that allows your users to sign in to your app using credentials from supported external social login providers. To enhance security, you can deploy Okta’s Adaptive Multi-Factor Authentication (Adaptive MFA) solution. Adaptive MFA provides a contextually-aware approach to authentication that takes into account the user’s context at the time of the login event. By using data such as the user’s device, location and network, Okta’s Adaptive MFA then either grants access, denies access, or prompts the user for a second authentication factor based on the risk rating of the login event.
By deploying social login and strengthening it with best-in-class security solutions, you can give your users the ability to log in to your app with their social media accounts while ensuring that your environment remains secure.