Why use and keep track of a zillion discrete accounts when you can log into so many apps and websites using your Facebook or Google credentials, right? Not so fast. What’s the trade-off?
23 Oct 2023
6 min. read
“Continue with Google” – such a seamless way to sign up for and log into a website or app, especially since you likely are already logged into your Google account. All you need to do is tap or click the button and allow some of your personal data from your Google account to be shared with the third-party online service.
Since convenience is so often the name of the game these days, many sites let you log in using your Facebook, Google, Microsoft, LinkedIn, Apple or another account with a major tech company. There’s typically no shortage of options to choose from and satisfy all tastes.
Figure 1. Example of SSO options for logging in or creating an accountFigure 2. More SSO options
On the other hand, when you link your Google login with another service, you are authorizing Google to share your personal information in exchange for ease of access and convenience. How safe can that be?
To help you strike a balance between security and convenience, we’ve rounded up the pros and cons of using the consumer variety of an authentication method called Single Sign-On (SSO), commonly also known as social login, for your personal online accounts.
One login ruling them all!
First things first, what exactly is SSO? It is an authentication scheme that allows an organization to get consented access to your personal information while enabling you to sign up for and log into its services instead of requiring you to register via a standalone form.
It’s little wonder that this practice is so common all over the internet:
Ease of registration and access. Instead of having to go through the hassle of filling out yet another form with your name, surname, phone number or email address, you can simply click on your preferred SSO option and share those (but possibly also other) details with the new app or website. [Importantly, your password is never shared with the website – instead, your identity is verified via an authentication token.]
User attraction and acquisition. Online services know only too well that the easier it is for you to sign up and sign in, the more likely you are to do it – and come back again.
No more password fatigue. Different websites have different password requirements; plus, we should use a unique username and password combination each time. But thanks to this implementation of SSO, setting up a strong password with just one of the big internet platforms can give you access to hundreds of other websites, vastly reducing the number of passwords you need to create and memorize.
Better prevention of self-inflicted account compromises (in some cases). As our lists of passwords become too extensive to remember, many people may keep track of their credentials on paper or in an Excel spreadsheet. But what if someone happens to get their hands on this password list? Having to remember only the password for your Google account and securing the account properly may reduce the need to create, and then depend on, a poorly protected list of passwords (for example, if password managers are not your thing).
So, should you always use SSO?
The answer is clear: no, there are also some downsides. More specifically, while SSO delivers some serious user benefits, it opens you up to risks that may not reveal themselves until it’s too late. What are some of the implications?
All your eggs are in one basket. If your Facebook or Google credentials fall into the wrong hands, not only does this give the cybercriminals access to that one account of yours, but also to all other websites you’ve linked it to. Which brings us to the next point…
Guard your primary account “like your life depends on it”. A strong password – perhaps in the form of a passphrase consisting of a sentence that mixes uppercase and lowercase letters and numbers – can be key to protecting your accounts and personal details. If for some reason you don’t use a password manager, maybe consider choosing a passphrase in a format that allows you to add the website name to it – but without the whole string being too predictable.
Privacy concerns. When you link accounts, you are allowing your personal information to be passed on to the website — and, because of how easy this is to set up, you might be consenting to transfer more information than you might realize. And while Facebook, Google, Microsoft, or Apple let you check all your third-party connections, revoking access does not mean you are also revoking a website’s consent to use your data. Also, if, after “deleting connections”, you go to the same website again and use your preferred social login, you’ll be let in just as before — as if you’d never revoked access at all.
Figure 3. Revoking consent for Google to link your account with another websiteUser attraction and acquisition (and the implications for your digital footprint). True enough, we listed effective user acquisition as one of SSO’s advantages for apps and websites, but it can be a double-edged sword. If you end up registering for apps or websites you never really needed that badly, how long before you forget about them? To help counter that, make sure to keep track of all the websites you registered with and what personal information about you they keep – for example, your credit card information might be stored on a website you’ve used once and forgotten about. While this can happen regardless of how you log in, the frictionless nature of the “express” method may make you more prone to forgetting about all those apps or websites you once signed into with your Google or Facebook account.
So, to SSO or not to SSO?
When coupled with other safety and privacy measures, social logins can be a great time saver. But in the case of websites that keep your personal information such as your full name, address, bank details, or credit card numbers, it is safer and more secure to opt for a standalone account secured by a complex and unique passphrase, together with two-factor authentication (2FA).
In short, consider using SSO only if you:
enable – and we can’t stress this enough – two-factor authentication (2FA) on the primary account, as this will make it harder for anyone to impersonate you online,
trust the platform you’re using to access the other website – trust is a fickle thing, however, and you still need to take other precautions,
use payment services like PayPal or a virtual credit card as payment options for any website you accessed using SSO; this will help you avoid leaking your banking details,
use the settings in your primary account to keep track of all the websites you’ve linked it to.
Figure 4. Managing third-party apps and SSO authorizations on Google
Is there any other way?
Balancing easy access to all your online accounts with keeping them secure can be a challenge. Here are other ways to accomplish this than via social logins:
One obvious alternative involves creating a standalone account for each service and using a password manager that can take the headache out of creating, managing and auto-filling your login credentials. Another option relies on a disposable email address, especially for websites you don’t really care that much about or plan to use again. Additionally, some governments have come up with a unique citizen ID that gives people online access to services offered by some public and private organizations.
Whichever approach you choose, you’ll enjoy your online presence without too much hassle (or hustle) as long as you stick to general cyber-hygiene practices, including by avoiding giving away your credentials, using 2FA and staying aware of your full digital footprint.