There are many sites online that give you a choice to create an account using your existing login ID with Google, Facebook, or Apple instead of creating a new one.
This can be a tempting convenience because it means you have one less password to remember. Login is also automatic if you’re already logged into the other service.
The “Sign-in With…” process allows you to grant permission for another website or cloud service to use the login authentication of another site like Facebook or Google. When you choose this option, the login form that actually comes up is that of the authenticating site (Apple, Facebook, etc.). You then can skip creating a separate username and password on the new site.
When faced with this choice many users aren’t quite sure what’s the best thing to do – create a new account or use their existing FB, Google, or Apple account. Which one is more secure?
This is an important question for businesses as well because employees may have an existing company Gmail account that they use to log into another service. Using that login to access other sites can impact your business IT security.
While having fewer passwords to keep track of is an attractive thought, there are some serious security and access implications if you connect other online accounts using a “sign-in with” option.
Your Personal Data is Shared With Other Accounts
Authentication is not the only information that can be shared when you connect an account to your Facebook, Google, or Apple ID. For example, when you sign into Uber with Google, your Google Wallet can be shared to pay for rides.
Sites like Trip Advisor will look at your Facebook Friends list if you sign in using the app so it can show you places they may have visited. You may find that cool, but your friends and family may think it's an invasion of privacy.
Most users aren’t paying attention to the list of things that are going to be shared when they use the “sign-in with” option. So you could be sharing more information than you realize.
For companies, this can also pose a security risk because employees often use unauthorized cloud apps (aka shadow IT) for business data, and they may be using their company Google or Apple account to sign in to them.
You May Not Have Access During a Facebook, Apple, or Google Outage
In early October, Facebook and its other sites, Instagram and WhatsApp, had a major outage for nearly 6 hours due to an internal networking problem. During that time, any users that used a “sign in with Facebook” option on any of their accounts would not be able to access those accounts.
So one outage could mean you are locked out of multiple cloud accounts because the connected accounts can’t access the login authentication process from the site with the outage.
This is called a “single point of failure” in an IT workflow, and it’s something to be avoided if you want to maintain uptime and business continuity.
The Site May Have “Sign-in With” Credentials Revoked
Facebook, Google, Apple, and other sites that allow online service providers to use their login authentication process have certain requirements that those sites must meet.
If they decide to revoke the credentials of the site so it can no longer use the “sign-in with” process, you could end up being locked out of your account and have difficulty getting back in.
All Your Connected Accounts Can Be Hacked if One Credential is Compromised
One of the password security best practices is to have a unique login credential for every online account that you use. When you use Facebook or Google to log into another site, you’re breaking that golden security rule.
All a hacker would need to do is compromise your Facebook or Google account and they could easily gain access to any other accounts that you connected to their login authentication.
2 out of 5 people have had their identities hacked or passwords compromised due to duplicate or outdated passwords.
It wouldn’t be difficult for a hacker to find out what other sites they can compromise. All they need to do is go to your profile security settings and look for any connected websites, and they’ll have a list of other accounts they can breach.
Need Good User Authentication Solutions?
Are passwords getting out of control at your company? Do you worry about having a cloud account breached? ECN IT Solutions can help your Tucson area business with secure authentication solutions designed to keep you protected while also being user-friendly.
We’re here and ready to talk password security with you! Reach out at 520-335-7553 or through our website.
References linked to: