Increasingly nowadays when you visit a website that requires you to create an account to use it, you are offered a range of options that may include ‘social logins’. Whereas in the past you would have had to create and remember a unique username and password for each site, you may now be offered the option to ‘log in with Facebook’ – or Google, or Twitter. What is this, why is it used, and how should you respond?
Well, there are two main reasons for a site to use social logins, and the first one is wholly positive – it’s actually more secure than creating a new account for each site, because it uses the existing log in, but without providing full access to it. It’s as though you had a houseguest staying, and didn’t want to give them a full set of keys to your place but you had a side entrance with a separate lock – you give them just this key which they collect from you each time, and then if they lost it or you wanted to lock them out later it’s much easier
For example last year a little app called Tweetgif got hacked, loads of accounts compromised and it disappeared for a bit – bad news, but not as bad as it could have been. Tweetgif is used to post animated GIFs to your Twitter account, so it does require access to the account do this – but rather than having to actually give your Twitter password to Tweetgif, it works via Oauth social log-in and instead you give the application specific access to your account, so that it can post on your behalf.
When you click the “Authorize” button, it creates an “access token” and an “access token secret”. These are like passwords, but they only allow Tweetgif to access your account and do the things you’ve specifically permitted it to do. If you change your mind about permitting this, you simply deauthorise the application from your Twitter account – if you decide to no longer use the service, or if as in this case the service gets hacked.
Similarly if you read this article on www.costaconnected.com one of the options to comment on it is using your Facebook login – if you are already logged into Facebook the comment box will be pre-populated with your thumbnail and all you have to do is type your remark about what a brilliant article it is, the purpose of this social login is simply to make it as frictionless as possible to interact – no passwords, captchas or forms to fill in.
The thing with social logins though is that you have to be a bit careful, what permissions you are granting., and think hard about whether you want to allow them in order to do what you want to do. For example, the Dietbet Challenge that the Costaconnected team is now successfully completing as I write this (don’t you wish you had joined us?), had an option for social logins at dietbet.com. I used my Facebook login as it then automatically grabbed my profile pic and other things, but did I want the application sharing my every weigh in with my Facebook friends? Er, no way! So, I had to modify the permissions the app requested – if it insisted on posting to my Timeline, I could at least set it to make those posts visible to me only, rather than friends or public.
When social logins to some media services were introduced with the Facebook Timeline launch, a lot of services required you to connect your account to use them and enable ‘frictionless sharing’ – but a lot of apps such as The Guardian have now removed this requirement because the feedback was not positive. Perhaps if I am listening to a track on Spotify I don’t mind sharing that with the world at large (if they are remotely interested), but I don’t feel any need to share details of every article read. And what happened was, people clicked on a link to read an interesting newsworthy article featured in their newsfeed or that a friend had read, and had to grant the app sharing permission before they could see it. Then at the end of that article they saw another one titled ‘How to Cope if your Sexual Organs are Tiny’ and clicked on it out of medical curiosity – at which point Facebook broadcast to the world “(name) is reading ‘How to Cope…” etc – not so good.
So, from a security point of view, social logins are great. From a social point of view, just be careful – mostly it’s fine, but just stay in control of what permissions you grant where. Often they are not even all necessary, for what you want to do with the site or application, so just have a good read through and explore the options before hitting that ‘Authorize!’ button.
Published in Costa Blanca News, 8th March 2013