The end of logging in with a social network
You weren’t alone if you had trouble logging into Spotify, TikTok, or Tinder on Wednesday evening. As reported by The Verge, a backend configuration change on Facebook servers broke a widely used software development kit (SDK).
Developers of these popular apps — and many others — use the Facebook-built SDK to enable account creation and login rather than creating an account using an email address and password. Using a platform account such as Facebook, Twitter, or Google to create an account is referred to as federated login.
While it sounds familiar to enterprise single sign-on (SSO), it differs in account security and management. Single sign-on allows IT managers to restrict application and resource access at the account and group level. Federated login is a consumer-focused system that makes it easier for end users to onboard onto new services or applications.
The initial advantages that federated login delivered were speeding up the sign up time and reducing the number of passwords end users needed to remember (or write down on a sticky note next to their laptop).
The end of federated login
The risks of using federated login have now eclipsed the benefits. If an end user’s social media account is compromised, it could potentially allow a bad actor to access all the apps and services associated with that login.
Beyond that, if an end user decided to close or delete a social media account, it could break their ability to login into your app or service.
Password managers such as LastPass and 1Password have made federated login unnecessary. They provide the same benefit of password reduction that federated login provides, but without the risk of data theft and SDKs breaking functionality.
Password managers also provide browser and OS plugins that enable the quick addition of login credentials. There is no practical difference in speed when it comes to account creation using federated login versus a password manager.
Building secure solutions
Any application or service is only as stable as its weakest link. In 2016, a developer deleted a NPM module and inadvertently broke thousands of projects across the internet. One of the deleted modules included a simple function that pads out the left hand-side of strings with zeros or spaces.
At BitBakery, we work with our clients to build solutions that are not only secure, but future-proof against SDK and shared library changes. We wrote about this back in October, 2019 when Google removed the fingerprint scanner from the Pixel 4. The lack of a working facial recognition API in Android meant that end users couldn’t securely login to their financial apps. Our team constantly monitors trends and issues for our clients to make sure they’re delivering consistent, amazing experiences to their customers.
Originally published at https://blog.bitbakery.co on May 11, 2020.