Social login

Last updated

Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google, to login to a third party website instead of creating a new login account specifically for that website. It is designed to simplify logins for end users as well as provide more reliable demographic information to web developers. [1]

Contents

How social login works

Social login links accounts from one or more social networking services to a website, typically using either a plug-in or a widget. [2] By selecting the desired social networking service, the user simply uses his or her login for that service to sign on to the website. This, in turn, negates the need for the end user to remember login information for multiple electronic commerce and other websites while providing site owners with uniform demographic information as provided by the social networking service. Many sites which offer social login also offer more traditional online registration for those who either desire it or who do not have an account with a compatible social networking service (and therefore would be precluded from creating an account with the website).

Application

Social login can be implemented strictly as an authentication system using standards such as OpenID or SAML. For consumer websites that offer social functionality to users, social login is often implemented using the OAuth standard. OAuth is a secure authorization protocol which is commonly used in conjunction with authentication to grant 3rd party applications a "session token" allowing them to make API calls to providers on the user's behalf. Sites using the social login in this manner typically offer social features such as commenting, sharing, reactions and gamification.

While social login can be extended to corporate websites, [3] the majority of social networks and consumer-based identity providers allow self-asserted identities. For this reason, social login is generally not used for strict, highly secure applications such as those in banking or health.

Advantages of social login

Studies have shown that website registration forms are inefficient as many people provide false data, forget their login information for the site or simply decline to register in the first place. A study conducted in 2011 by Janrain and Blue Research found that 77 percent of consumers favored social login as a means of authentication over more traditional online registration methods. [4] Additional benefits:

Targeted Content
Web sites can obtain a profile and social graph data in order to target personalized content to the user. This includes information such as name, email, hometown, interests, activities, and friends. However, this can create issues for privacy, and result in a narrowing of the variety of views and options available on the internet.
Multiple Identities
Users can log into websites with multiple social identities allowing them to better control their online identity. [5]
Registration Data
Many websites use the profile data returned from social login instead of having users manually enter their PII (Personally Identifiable Information) into web forms. This can potentially speed up the registration or sign-up process.
Pre-validated Email
Identity providers who support email such as Google and Yahoo! can return the user's email address to the 3rd party website preventing the user from supplying a fabricated email address during the registration process.
Account linking
Because social login can be used for authentication, many websites allow legacy users to link pre-existing site account with their social login account without forcing re-registration.

Disadvantages of social login

Utilizing social login through platforms such as Facebook may unintentionally render third-party websites useless within certain libraries, schools, or workplaces which block social networking services for productivity reasons. It can also cause difficulties in countries with active censorship regimes, such as China and its "Golden Shield Project", where the third party website may not be actively censored, but is effectively blocked if a user's social login is blocked. [6]

There are several other risks that come with using social login tools. These logins are also a new frontier for fraud and account abuse as attackers use sophisticated means to hack these authentication mechanisms. [7] This can result in an unwanted increase in fraudulent account creations, or worse; attackers successfully stealing social media account credentials from legitimate users. One such way that social media accounts are exploited is when users are enticed to download malicious browser extensions that request read and write permissions on all websites. These users are not aware that later on, typically a week or so after being installed, the extensions will then download some background Javascript malware from its command and control site to run on the user's browser. From then on, these malware infected browsers can effectively be controlled remotely. These extensions will then wait until the user logs into a social media or another online account, and using those tokens or credentials will sign up for other online accounts without the rightful user's express permission.

Security

In March 2012, a research paper [8] reported an extensive study on the security of social login mechanisms. The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, Janrain, Freelancer, FarmVille, Sears.com, etc. Because the researchers informed ID providers and the third party websites that relied on the service prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported. [9] This research concludes that the overall security quality of SSO deployments seems worrisome.

Moreover, social logins are often implemented in an insecure way. Users, in this case, have to trust every application which implemented this feature to handle their identifier confidentially. [10]

Furthermore, by placing reliance on an account which is operable on many websites, social login creates a single point of failure, thus considerably augmenting the damage that would be caused were the account to be hacked.

List of providers

Here is a list of services that provide social login features which they encourage other websites to use. Related are federated identity login providers.

See also

Related Research Articles

Authorization or authorisation is the function of specifying rights/privileges for accessing resources, which is related to general information security and computer security, and to IAM in particular. More formally, "to authorize" is to define an access policy during the configuration of systems and user accounts. For example, user accounts for human resources staff are typically configured with authorization for accessing employee records, and this policy gets formalized as access control rules in a computer system. Authorization must not be confused with access control. During usage, access control enforces the authorization policy by deciding whether access requests to resources from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer software and other hardware on the computer.

<span class="mw-page-title-main">Single sign-on</span> Authentication scheme

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single SSO ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

A Google Account is a user account that is required for access, authentication and authorization to certain online Google services. It is also often used as single sign-on for third party services.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

Google Friend Connect was a free social networking site, active from 2008 to 2012. Similar to Facebook Platform and MySpaceID, it allowed users to build a profile to share and update information through messaging, photographs and video content via third-party sites which acted as a host for profile sharing and social exchanges.

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Identity providers offer user authentication as a service. Relying party applications, such as web applications, outsource the user authentication step to a trusted identity provider. Such a relying party application is said to be federated, that is, it consumes federated identity.

<span class="mw-page-title-main">Microsoft account</span> User account required for Microsoft-owned services

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

Mozilla Persona was a decentralized authentication system for the web, based on the open BrowserID protocol prototyped by Mozilla and standardized by IETF. It was launched in July 2011, but after failing to achieve traction, Mozilla announced in January 2016 plans to decommission the service by the end of the year.

Google APIs are application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services. Examples of these include Search, Gmail, Translate or Google Maps. Third-party apps can use these APIs to take advantage of or extend the functionality of the existing services.

<span class="mw-page-title-main">SQRL</span> Draft open standard for identity verification

SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

Rublon is a multi-factor authentication platform that offers an extra layer of security for users logging into networks, servers, endpoints, and desktop, cloud, web and mobile applications. Rublon MFA secures remote access and local logins using hardware and software authenticators, including the Rublon Authenticator mobile app, which holds the digital identity of the account owner. Numerous Rublon MFA connectors allow strong authentication to be implemented for all or selected users. Individually configurable security policies allow customizing Rublon MFA to suit the organization’s needs. Rublon's multi-factor authentication platform helps protect enterprise data and achieve regulatory compliance.

<span class="mw-page-title-main">Janrain</span> CIAM start-up based in Portland

Janrain, sometimes styled as JanRain, is a customer profile and identity management (CIAM) software provider based in Portland, Oregon, United States. It was established in 2002. Akamai acquired Janrain in January 2019.

Customeridentity and access management (CIAM) is a subset of the larger concept of identity access management (IAM) and is focused specifically on managing the identities of customers who need access to corporate websites, web portals and webshops. Instead of managing user accounts in every instance of a software application of a company, the identity is managed in a CIAM component, making reuse of the identity possible. The biggest differentiator between CIAM and regular (internal) IAM is that in CIAM the consumers of the service manage their own accounts and profile data.

Account verification is the process of verifying that a new or existing account is owned and operated by a specified real individual or organization. A number of websites, for example social media websites, offer account verification services. Verified accounts are often visually distinguished by check mark icons or badges next to the names of individuals or organizations.

Sign in with Apple is a single sign-on provider operated by Apple Inc., introduced on June 3, 2019, at Apple's 2019 Worldwide Developers Conference (WWDC) in iOS 13.

References

  1. Social Login: A Data Capture Game Changer(accessed 21 December 2011).
  2. Ngemera, Eusebius (2017-01-31). "Social Logins—what info you give away!". eusebius.tech. Retrieved 2017-05-06.
  3. "Integrate Social Networks with your Corporate Website with Social Sign On" - Altimeter Group, September 27, 2010
  4. Social Media Marketing: Social login or traditional website registration? MarketingSherpa, January 12, 2012
  5. "The Social Web's Big New Theme for 2011: Multiple Identities for Everyone" - AllThingsD, January 1, 2011
  6. Laurenson, Lydia (3 May 2014). "The Censorship Effect". TechCrunch. Retrieved 27 February 2015.
  7. Safruti, Ido (18 October 2017). "Simple Social Login for Users and Attackers". infosecurity. Retrieved 14 November 2017.
  8. Rui Wang; Shuo Chen & XiaoFeng Wang (May 2012). "Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services".
  9. "OpenID: Vulnerability report, Data confusion" - OpenID Foundation, March 14, 2012
  10. "Social Login Setups – The Good, the Bad and the Ugly" - CloudRail, August 2, 2016

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.