In this post we’ll talk the problems that can exist as you sign on to services using a social login from another account.
What is a social login?
A social login, is a form of single sign-on in which you use existing information from a social networking service such as Facebook, Twitter, or Google, to sign into a third party website instead of creating a new login account specifically for that website. This is designed to simplify the login and account creation process for you, the end user. This is also beneficial for the developers of the new platform or tool, as they get better(more complete) information about you. Doug Belshaw talks a bit about the use and benefits from the developer side in this post.
You probably have already signed on to a new service in the past using social login, but haven’t thought about it up to this point. As you go to a service and prepare to create a new account, you’re greeted by a graphic like the one below. Instead of going through the tedious procedure of entering your email address, and then a new password…and confirming that password…you’re greeted by the eye-catching buttons for services you already use and trust.
After you click on that social login button, you are directed to Facebook, Google, or your choice of options, and quickly click through the permissions dialogue that hands over some of your information to the new service. You are also giving the service that you trust (Facebook, Google, Twitter) more information about you by linking it to this new service you signed up for.
Now, when you go to the new service, you can login with your email and password, but before that, the website offers you those shiny buttons again for social login. If this is how you created your new account, you’ll of course click on those buttons and pass on through. Once again, as you click through, your social networks and accounts are getting more information about you, and tracking your online habits. You’re also handing over data and insight into your habits as you save time in not having to create a new account.
Social login privacy & security concerns
There are several concerns that you should have as you use social logins for new accounts. Yes, you are saving some time and hassle by trusting one service and connecting it with another. But, some of the privacy or security concerns come into play as you’re trusting one site with personal or private information that you gave to another site. For example, think about how much information a site like Facebook may have about you. You may have given Facebook your address, phone number, and the addresses or phone numbers you’ve previously had. Facebook most likely has photos of you in and out of all of these addresses. If a website like Facebook has all of this info about you, would you trust them sharing it with this new service you’d like to test?
Social login is convenient for users but it is not considered a secure type of authentication and should never be used for any site that has sensitive information associated with it. The method also has implications for user privacy because people typically share personal information there that may not be appropriate for other sites.
Another concern is that we frequently use social login to quickly create an account to play a game, use an app, or test out a service quickly. We may forget that we gave these permissions to play with an app or game. Days, weeks, and years go by and this service still has that pipeline of info over to your trusted web service or platform.
What does this look like in the real world?
It might not seem like that big of a deal to use your Facebook account to sign in to play with that new version of Candy Crush, only to get bored and never play it again. But, let’s take a look at some of the real world effects of using social login and leaving it alone.
Social login gives developers access to much more information about you, and your browsing or purchasing habits. Developers can connect the dots across your demographic, specific interests and personal circumstances. Basically, it allows them to personalize your user experience. What this means for you is ads. The good news is that you’ll get better ads, because the digital signals will suggest that you’re interested in new products, services, and spaces. If you get creeped out by ads that follow you around online while you search, this is one of the first places to look.
A far more pressing concern is that many of these services will post messages to your social network feed about products and services you may like. I see this a lot in my Facebook feed where a post will pop up suggesting that one of my friends loves playing Clash of Clans, and they think I should play now. I also see a lot of this where an ad will pop into my Facebook feed for a new product or service, and within the ad, will be a picture of a friend of mine, and the ad will indicate that “Sharon LaChance loves writing on WordPress.” This is most likely an instance where Sharon (a pseudonym) used social login to sign in to WordPress, and Facebook is connecting the dots and selling/using this info in ads targeted to me. I generally find this a bit creepy, especially when services pull in people’s photos, and use their names.
Remove unused social login access
As you review and clean up your digital hygiene, it’s a good idea to also review the places where you’ve given social login access, and revoke access for things you no longer use.
Keep in mind that social login links your Twitter, Google or Facebook account up to third-party apps so they can access things like your calendar, contacts, or other info. Most of us forget about services we’ve signed up for and stop using. The services haven’t forgotten, however, and may still be accessing your data regularly, which is a problem if they ever get hacked, sold to nefarious companies, or just start doing sketchy stuff.
That’s why you should regularly review and remove unused social login access to third party app services. To revoke access you need to visit each of the parties you’d give access from, scroll through and remove apps you’re no longer using. This keeps them from accessing your data. As an example, if you used Facebook to sign in to WordPress as given in the example above with Sharon, you would go to Facebook, and revoke the access given to WordPress.
This post from How To Geek gives you granular advice on how to quickly click through and revoke access to third parties for different apps. Please take the time to click through and review your social logins for each site. I followed through while writing up this post…and I was a bit unnerved at some of the services I found.
Making social safer
Spend a little bit of time each year reviewing the sites, apps, and spaces you connect using social login. You can quickly compromise yourself by saving the time and hassle of creating an account by giving third party access.
The first step in this is recognizing what is happening when you use these social logins. The second step in the process is understanding how to review, and possibly revoke these permissions.
Take the time during the year to regularly remain informed about your digital hygiene and the ways in which you protect yourself online.
As you’re busy protecting yourself throughout the year, stay informed by subscribing to my weekly newsletter.
Also published on Medium.