Helping people with computers... one answer at a time.

Many sites make it easy to login by using a Facebook application. It's easy, but is this really safe?

I've noticed recently that a number of websites allow you to login using another web service instead of directly from that web page. For example, my son couldn't remember password at PhoneZoo, but it had an option to login from his Facebook page. He pressed the button, logged into Facebook and he was also logged into PhoneZoo.

Can you explain this a little bit about what's going on here and whether this means there is an increased security risk? If someone gets in his Facebook account, I would assume they could also get into his PhoneZoo account or any other website providing this access. Is this a trend and is there any way to avoid it?

In this excerpt from Answercast #27, I look at some of the risks involved in logging into other services using Facebook; it might not be what you think!

Log in with Facebook

It's definitely a trend and I will say that my tendency is to avoid it. The risk you run is exactly what you've just described: if someone gets access to your Facebook account, they now have access to all of the other accounts with which you've used Facebook as the login technique.

Most of those sites that provide Facebook as an alternative login do just that.

  • It's an Alternative login

You can usually still create an account that is unique to that site. So for example, at PhoneZoo, you can just login to only PhoneZoo and use that login which is completely unrelated to Facebook. It means having a separate login and for everything (which I prefer), because it means that these services are more isolated from one another.

You are not subject to this service being cracked, then suddenly allowing access to the others.

Login information

Now to be fair, that's actually not the case in most situations.

When you use Facebook to login to a third-party site, that site does not get your Facebook password. They simply ask Facebook, "Let this guy login; let me know when he's logged in; and then give me some kind of a token that lets me refer to this person." They do not actually get your Facebook login or your password. They may get the email address that you use, but not the password.

So those sites being hacked isn't so much an issue... as your Facebook account itself being hacked.

Multiple logins

As I said, it does seem to be a trend; and it does seem to be a trend that some people find very comfortable.

The reason that this is an interesting thing to understand is that it is exactly the opposite of what I'm looking for.

A lot of people don't want to have multiple logins to multiple accounts, I mean, let's face it; it's a hassle to manage all those usernames and passwords. If instead, you use Facebook to login once, and then have Facebook manage what you can do on these other sites, you've basically reduced what you have to keep track yourself all the time.

Log into Facebook and you're automatically logged into all these other sites and it's great in that sense.

Manage accounts through Facebook

The good news is that in Facebook Account Management, you can disable each account one by one.

So for example, you've logged into PhoneZoo using Facebook. Five months from now, you decide you don't want to have that association anymore: you don't want Facebook to be the login, the credential manager for your access to PhoneZoo. You can go into Facebook in your User Account and turn off that permission for PhoneZoo specifically.

Separate accounts

Finally, one thing I do want to point out is that if you have an account on a service (like PhoneZoo), that is specifically for that service (such as the one that your son couldn't remember). If you then login using Facebook, you have set up a separate account; the two are not related.

There's no way for PhoneZoo (or any of these services) to associate an existing account that they have setup with a Facebook account that you then use to login later.

Anything you have associated with that account (that you originally set up, like the one to which your son lost his password) is actually all lost. The old information is still associated with that old account... but if he can't login to into it, he can't get into it.

The Facebook account is a brand new account that he has now set up from scratch, once he has given PhoneZoo permission to login to using his Facebook credentials.

Article C5481 - June 17, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Greg Bulmash
June 17, 2012 7:42 PM

"There's no way for PhoneZoo (or any of these services) to associate an existing account that they have setup with a Facebook account that you then use to login later."

Many sites will let you tie your Facebook login and your unique site login together if you create separate accounts for each.

Veronica
July 8, 2012 5:57 AM

If you choose to login to a site via Facebook, does that create any kind of tie between your Facebook account and that site? I'm envisioning something like this:

- I log into skeevysite.com with my Facebook account
- A Facebook friend of mine also logs into skeevysite
- My Facebook friend sees my Facebook account profile listed on skeevysite's page, under "Friends Of Yours Are Also Members of Skeevysite!"
- Or, skeevysite posts to its Facebook account, "Veronica has just joined Skeevysite."
- Or, skeevysite posts to my Facebook page, "Veronica, we're so glad you've joined Skeevysite!"

(Not that I actually do anything scandalous on the internet...I'm just a privacy-minded person.)

Charles Choong
October 28, 2012 4:39 PM

I think it's a major breech of security to even ask for your Facebook log-in information on a 3rd party website. Asking for your hotmail, yahoo etc. information is the same deal.

Like the author stated, although a pain, create a separate username/password for each and every website you wish to be a member of.

The security risk is likely greater than you can possibly imagine if you start freely giving away info. to 3rd party sites. Don't do it.

Mark J
November 9, 2012 10:04 AM

I know the Facebook login is legitimate and I've used it on a few sites that I know and trust, but sometimes there's a site I don't know so well. There's a chance that they could offer you to log on through Facebook and send you to a Phishing web site which looks like Facebook and steal your Facebook login.

John Servis
November 16, 2012 9:41 PM

I don't use the system mentioned to log on to any other site through F.B. but I do know that many times I've searched online parts sites for electronics & what not and it'll come up with a message or page that states " Like this such & such site? click like to link this site with your F.B. account and let your friends know you like our site" etc... which in turn links your F.B. to the site your shopping/searching/etc... & posts a message on your wall, now time line or whatever, that you "like" such & such site and linked it to your F.B. account and asks your friends if they want to visit said site click "like" blah, blah, blah.
Quite the involved nuisance if you ask me.
I keep everything separate & use LastPass to keep track of the ID's & Passwords if I want to join the site/forum/store I'm interested in.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.