Back

The risks of Social Login

les dangers du social login

You have seen it before, or even already used it to connect to a website, the social login seduces because of the simplification and time saving it provides to Internet users. This is a unique authentication form that allows users to connect to different sites or applications through identity providers, for example via their Facebook, Twitter, Google, Apple or LinkedIn accounts, to name just a few. Technically, behind the social login, there are identity federation technologies, which allow to use a third-party credentials repository to log into an application.

By connecting via your favorite social network to an application or website, your data will be shared, allowing you to avoid tedious registration forms and the multiplication of IDs/passwords. Then, from the moment you are connected to your social network, you will only need one click to access these third-party applications and websites. However, the information shared may not always be limited to your full name and e-mail address. The third-party website may potentially have access to certain information, which is usually not required for a traditional registration. But this is not the main problem with social login; after all, some people will say that if you enter this data on a social network, it is because it is not that confidential.

The real debate about social login is the close relationship between the social network that allows you to log in and the third-party application or website. The day a failure occurs on the social network, you will no longer be able to connect to your other accounts as long as the incident continues. If someone steals your social network credentials, they will have access to all these third-party applications and websites where confidential information may potentially be found. If this person changes your password or if your account is deleted, you will lose access to all applications to which you used to log in via the social login. Even if social networks have sophisticated and effective cybersecurity tools, the risk of massive hacking cannot be eliminated either, and you may only find out once the damage is done. Facebook users have already been confronted to such a situation.

In 2018, because of a security breach, hackers were able to access up to 50 million Facebook accounts [01] in order to steal access tokens allowing them to connect to other websites or applications via the social login mechanism. Social login has therefore become a real cybersecurity issue since, now that social networks have a global audience, a vulnerability on a social network with several million users can potentially compromise other hundreds of millions of accounts linked via social login.

However, the scope of social login is often limited to users connecting to their personal applications. Indeed, this login mode using social networks is still limited in companies, particularly because of the dissociation between personal identity and professional identity. In order to allow the employees of a company to connect to applications of the same company or to allow the employees of a client company (B2B) to access services from a service provider, traditional ID/password pairs are still the most commonly used. It is rather in a B2C context that social login can be used. Many companies have chosen to allow users to use this authentication method, such as Airbnb, Booking or Air France. They use this mechanism to allow their consumer customers to use their “social” credentials to access their online services. There is also the case of an employee from a company who uses a social login to log into the online site of his company’s mutual insurance organization, if it allows it: it is not the company that manages this security, it is the mutual insurance organization. This is an example of “social login” in a company.

When it comes to personal use, social login therefore appears as a practical and simple solution to use, no configuration is necessary. The mere fact of having an account on a social network is enough. However, you should be aware that like all IT solutions, social login involves risks. The problem is that in this specific case, risks can quickly spread to all third-party applications and sites linked to your account.

 

References

Facebook: a massive hack has compromised 50 million accounts

https://www.01net.com/actualites/facebook-un-hack-massif-a-compromis-au-moins-50-millions-de-comptes-1533364.html

 

Jocerand Leroy