When you're considering creating a new account for a website, chances are you'll be given an option to use your existing Facebook, Google or other account as a sign-in. This method is commonly known as single sign-on (SSO). Facebook and Google connectivity are the most common offers but some services add Apple, Twitter and LinkedIn accounts as well.
The question is, should you use one of those existing accounts to log in to this new website, or go to the trouble of creating a new account with your email address?
The single sign-on method can get you signed up for a new service really quickly. However, it does give you less control over what information is shared when the account is activated. Your social media credentials will likely share things like your email address, name, and profile photo to the app, and it may be able to access more personal details like your birthdate and phone number. What does or doesn't get shared ultimately comes down to the policies of both the preexisting account, and the one being signed up for. The app should also provide text making clear what is shared during the signup process.
To iron out all the details, we've enlisted the help of cybersecurity experts Paul Bischoff and Dan Fritcher to give insight on how this SSO technology works. We'll also outline how Google, Facebook, Apple, and Twitter handle third parties accessing your data through them.
The Pros of Single Sign-On
The main selling point of SSO is simply saved time and convenience. It skips the lengthy registration process of filling out forms and fields, since that information can likely be pulled from your social media account. It also cuts down on the hassle that comes with keeping track of usernames and passwords, and which ones match up with which. After the umpteenth account registration, that can seem like a nearly impossible task. Your preexisting account acts as a key that can be used to access a wide variety of services. While the third party is able to collect data from this transaction, they will not be able to see your social media password.
"Overall, signing up with a social login isn't necessarily more or less secure than just signing up with an email and password," says Paul Bischoff, privacy specialist for Comparitech, via email. "Smaller apps and websites probably have less security than big social networks, so foregoing handing over a password and email address in favor of a social login could be a safer option. That being said, developers have been known to abuse social login data as well (see: Cambridge Analytica)."
Some apps can also use a linked account to import useful files. For instance, Dropbox allows photos to be directly imported from Facebook to cloud storage. Productivity suites like Zoom and Slack can also be synced with Google calendar. However, you don't necessarily have to use single sign-on to take advantage of these functions.
The Cons of Single Sign-On
The disadvantages of SSO all come down to personal preferences and security. This method limits the choice of what gets shared during registration. As mentioned earlier, the app may be allowed to scrape names, photos and contact info, although you may have entered many of those things during signup, regardless of which method you use. In some cases, the new app gains access to more personal info like your age, location or interests. These details then may be used to serve you personalized ads, or sold to data collection companies.
"Using a social login creates a network of sites that hold a shared identifier on you. That identifier can be used to create a shared advertising profile based on your activity on each of the sites," emails Dan Fritcher, chief technology officer of Sysfi cloud services. "Over time, that profile grows larger and larger. For most people, it won't matter much, but the risk is we have no idea what it will be used for in the future."
SSO may also present more cybersecurity risks than regular registration. If a hacker is able to get hold of your social media login through phishing or a password leak, then they could also have free reign over other accounts you registered using that info. The account may also be locked, blocking access to sites that used single sign-on. Furthermore, If Facebook or Google experiences a service outage, that can temporarily crash that service's SSO function across the board.
With that said, here's a look at the data sharing policies of the companies most likely to offer SSO.
Facebook's Data Sharing Policy
Like other services, Facebook will provide your name, email address, and profile photo when a single sign-on is initiated. However, Facebook can also give the third party access to information it labels under the "public profile" umbrella. This essentially covers anything that is made available on your profile page, including more personal details like your age, gender, birthdate, relationship status, family details, hobbies and devices used. It may even serve up things such as your hometown, work and education history, religion and political leanings.
The data that Facebook collects is extensive, and it's more than willing to share that data with third parties, as recent scandals and lawsuits have shown. However, some of this info can be flagged as non-public using Facebook's privacy options.
At a minimum, Google will share your name, email address and profile photo with the third party during single sign-on. Some apps may also attempt to retrieve files, photos, messages, or calendar events stored on your Google Drive. However, they will have to specifically request those permissions to be granted access.
Apps registered through Twitter will be granted read access, which includes screen name, profile photo, bio, general location, preferred language and time zone. The app can also see all your tweet analytics, as well as follower, mute and block lists. On the other hand, Twitter does not share your email address during sign-on, unless specifically requested.
Apple's SSO process is unique compared to others. When the registry is initiated, name and email are shared with the third-party app. However, users have the option of editing their name before it's sent. They can also choose to hide their email address, at which point Apple will generate a dummy address which automatically forwards back to your account. Forwarding can also be turned off in the future to prevent spam, if needed. Two factor authentication is also a requirement to sign in with Apple. The company says it doesn't collect any data about your interaction with the app.
What to Do About SSO
If you plan on using single sign-on, be aware what info gets carried over. If you are offered a choice of companies, go with the service that will share the least amount of data. Based on what information is shared, and what users have control over, Apple appears to be one of the best services to use when it comes to SSO. You can create an Apple account even if you don't have any Apple devices.
Or you could opt for Twitter as Bischoff prefers. "Compared to other networks where I store a lot of private information and data, almost everything related to my Twitter account is public, so there's not much more data an app can glean from you logging in with Twitter," he says. However, not every app will have every sign-on option available.
You should also beef up your social media security by enabling two factor authentication, which generates a temporary passcode to be sent to your personal email or phone number. This is one of the quickest and most effective methods to prevent unwanted online access, and it will have the added benefit of protecting your single sign-on accounts as well. The most secure practice is to create unique passwords for every service you use, and an encrypted password manager will be useful in keeping track of all of them.