It’s time for brands to reconsider social login
After large-scale data exposures at Facebook and Google, people are recommending that users stop using their social profiles to log in to other websites. What does that mean for the companies offering social login to their customers?
Social login is in the news, and not in a good way.
Two high-profile security breaches affected social login, which lets people access third-party sites with their existing social profile, rather than creating a new username and password.
First Facebook announced a security breach that affected at least 50 million users, although it could be many more. Not even Facebook knows how extensive the access was. We do know that the impact of the breach was amplified because of social login. If people used their Facebook profile to log in to sites like Tinder or Expedia, their accounts on those sites were also vulnerable.
Then Google admitted that data from up to 500,000 Google+ users was exposed because of a security bug that Google failed to report for months. Third-party apps that got permission to access a user’s public profile data could also get non-public data from the user and their friends.
TechCrunch reported that “users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed.”
People’s trust in social login and third-party access has taken a big hit.
Farhad Manjoo, technology columnist at the New York Times, came right out and said, “I’m going to quit using Facebook to log in to apps and sites online. You should, too.”
Security expert Troy Hunt, creator of the free Have I Been Pwned? Breach notification website, says, “the Facebook breach is a warning sign for anyone who might use consumer single sign-on services offered by Facebook, Google, Twitter and other providers.”
The message to consumers is clear: stop using social login.
But what is the message to businesses? What is the message to CIOs and product managers who provide social login as an option for their users?
Should you keep offering social login as a way to access your digital services?
Many companies have social login via Facebook, Google, Twitter, LinkedIn, or other providers. If your company is one of them, what should you do to secure your customer data and maintain public trust?
As the CEO of LoginRadius, I can answer these questions. We have experience facilitating social login for thousands of companies and hundreds of millions of customers over six years. And we understand the need to balance competing priorities for customer experience, security, and marketing insights.
Social login has security risks that can’t be ignored
When a social network has a data breach, all third-party websites and apps that use it for social login are vulnerable to illegitimate access. For example:
- If a hacker gets access to a Facebook account by cracking a weak password or by phishing, that hacker could break into any account the Facebook user has accessed with Facebook Login, such as Spotify or Tinder.
- If a Facebook user’s phone is stolen and unlocked but they are still logged in to Facebook on their laptop or tablet, any of their apps that use Facebook Login can be accessed from the stolen phone.
- Advanced security features such as multi-factor authentication and risk-based authentication, while offered by social providers, are usually optional and not enabled by default, so many users don’t take advantage of them.
And security risks lead to privacy risks
Consumers were already worried about social login because of the data sharing. Those concerns are multiplied when the data is vulnerable to being stolen and shared in unauthorized ways.
People are shocked when they learn what kind of data that could be exposed — things like voting history, GPS coordinates of one’s home, friends’ names and phone numbers, passport information, and private dating messages.
Privacy regulations such as GDPR are still in the early days of enforcement, so it’s not yet clear how much third-party companies will be liable for privacy breaches that result from social login hacks. Given the potential financial and reputational cost of such privacy breaches, companies need to take a hard look at protecting themselves and their customers.
There is still a business case for social login
Many users still prefer to sign up and log in using their social accounts. For companies, social login is an attractive way to engage new customers quickly and increase conversion rates.
But using social login for everything could be the riskiest way to use it. Everything means that customers register and log in for all activity using their social account. Unfortunately, this implementation is also the most typical.
Businesses can continue to offer social login safely if they have additional layers of security to protect customer accounts and boost customer trust in the brand.
Download Social Login Reconsidered, a LoginRadius assessment of the security and privacy angle
If you’re a business using social login, you should make it more secure
With a customer identity and access management solution (CIAM) like LoginRadius, there are a number of ways to implement social login more securely.
For example, you can allow social login for low-risk activity only.
In this use case, social login is used for registration and authentication, and the CIAM allows the customer to perform low-risk activities. Reading content, commenting, and viewing account information are typical low-risk activities.
However, if a customer wants to perform high-risk activities, as defined by the business, the CIAM requires them to go through multi-factor authentication to provide additional verification of their identity. Changing account information and purchasing items or processing payments are considered high-risk activities.
Even if a hacker gains access to a customer’s social account, they will not be able to perform high-risk activities if they don’t have access to the customer’s phone or email account for multi-factor authentication.
Our white paper, Social Login Reconsidered, describes three more use cases that preserve the simple customer experience of social login while also giving stronger protection that eliminates the security risk and minimizes privacy risk if a customer’s social account is breached.
The right use case for your business depends on the business model, the target audience, and the level of risk for customer accounts.
Until now, the market has mainly talked about the advantages of social login but hasn’t been as vocal about the risks. LoginRadius is taking a leadership role in advocating for social login practices that protect businesses and their customers better.