Is it safe to sign in with Google, Facebook, or Apple?
Signing in with Google, Apple, or Facebook accounts saves you from creating a new username and password set. Despite the convenience, single sign-on (SSO) can mean a single point of failure.
If you sign in with a Google account to all services, its resistance against hacking must level up significantly. Cracks in the Google account security could have dire consequences, like hackers gaining permission to access all linked profiles.
Additionally, using a Google or Facebook account to sign in only extends their reach into your digital life. Since Google tracks you online relentlessly, you might not wish to supply it with more information deliberately.
So, let’s see why choosing the good old-fashioned username-password combination might be better.
How does signing in with Google or Apple work?
When you decide to join apps or sites, you might notice different registration options. The usual route is providing profile information, an email address, and setting a password. However, single sign-on means using tokens from the selected identity provider (IdPs) to verify your identity.
The biggest threat of signing with third-party services is if these companies suffer data breaches. Then, leaked data could facilitate unauthorized logins.
In 2018, Facebook reported a breach involving 50 million accounts. According to researchers, bugs responsible for the incident had enabled attackers to capture SSO tokens. Thus, hackers could have gained access to accounts linked to Facebook.
However, people voice concerns over privacy and data-sharing of single sign-on options. For instance, services used for SSO get a clear view into where users spend time and their purchasing/browsing habits.
Such concerns and growing anxieties over big tech might have made SSO less popular. In fact, companies like Ford Motor, Twitch, Nike, and Best Buy have dropped Facebook from SSO options.
Why single sign-on triggers privacy issues
Single sign-on is a readily available option letting you escape the routine of creating another set of credentials. However, signing in with Google or Facebook only deepens your dependence on these services.
For instance, your Google account already encompasses details about your browsing habits, search queries, locations, viewed ads, and more. With SSO, it gets even more direct access to your activity on third-party apps/sites.
A study by LoginRadius suggests how prevalent signing in with Google is. In 2022, it was the preferred SSO option for North Americans (38.9% of users). Joining a service with a Facebook account had slightly lower popularity, at 38.7%. However, the number of users choosing Google has grown since 2019. At the same time, Facebook SSO dropped.
Despite some services and users discarding SSO, it is still available on many services, especially mobile games. Sadly, looking at this from a privacy angle suggests that companies like Google and Facebook generate new channels from tracking users.
Security and usage issues with single sign-on
Signing in with Google or other identity providers can complicate the login process. You might not receive relevant correspondence from services or struggle to regain access to lost accounts.
- Users might generate multiple accounts if they forget the prior SSO method they chose. While this does not pose a threat, it proves that SSO can be unnecessarily confusing.
- Companies might not properly integrate single sign-on into their services. Developers have emphasized that maintaining a healthy login system can be frustrating. For instance, you need to balance username-password and IdP authentication. Additionally, services will likely include multiple SSO providers, like Google, Facebook, GitHub, Apple, Okta, Microsoft, etc. Thus, all these integrations will need to work smoothly.
- Since services do not receive users’ email addresses, sending notifications or security alerts becomes difficult. Providers might need to send alerts on various changes. With single sign-on, they might have limited options for contacting you. This drawback can be highly dangerous if you do not receive warnings of data breaches.
- Data breaches can be either highly devastating or relatively harmless. A service you join via SSO does not have your credentials. Thus, if it suffers a breach, such information won’t be a part of the leaked data. However, as seen for Facebook, a leak can expose tokens used for authenticating you to other services.
- SSO is vulnerable to various hacking techniques. Pre-hijacking is one of the threats, and it involves compromising accounts that you will create in the future.
- Uncertainty when you need to recover accounts. It might be unclear whether you need assistance from IdP or the service. Thus, the recovery process might be unnecessarily long, bouncing from one support team to another.
Should you stop signing in with Google, Facebook and others?
Overall, single sign-on options pose multiple privacy and security risks. For instance, some experts believe it is a single point of failure.
If an identity provider’s service suffers a data breach, there is no guarantee that accounts linked to it will stay unaffected. Furthermore, single sign-on is susceptible to attacks that might not be feasible via usual username-password combinations.
On the other hand, signing in with third-party service providers is a healthier alternative to reusing passwords. But compared to modern password managers, single sign-on can be a less safe route.
Create an account: a secure and convenient way
Account creation can seem like an insignificant step toward using a service. However, the decisions you make during this stage can shape your future. If you are unsure about single sign-on options, skip it.
Some services also adopt passwordless authentication, freeing you from creating new credentials. Atlas VPN has also chosen to implement passwordless logins. Instead, we use magic links that let you access your account without requiring passwords.
If you do go for username-password login, follow these tips to create a secure profile every time:
- Create a unique password for each account. Password rules suggest creating lengthy combinations of random numbers, letters, and symbols. They should not contain actual words that dictionary attacks could guess.
- Use password managers to store all your credentials. Modern password managers can facilitate quick and convenient logins. You won’t need to remember every credential: you will have a secure place to store them.
- Activate multi-factor authentication whenever available. 2FA is a must for ensuring that your account remains safe even after passwords leak. It is one of the ways to prepare for a data breach and protect your account.
- Try managing your accounts with tools for tracking data breaches. Atlas VPN offers a Data Breach Monitor. It is a feature that scans the web to see whether email-related details have been breached. Thus, it allows you to take action, like changing passwords, sooner.