Helping people with computers... one answer at a time.
Many sites make it easy to login by using a Facebook application. It's easy, but is this really safe?
I've noticed recently that a number of websites allow you to login using another web service instead of directly from that web page. For example, my son couldn't remember password at PhoneZoo, but it had an option to login from his Facebook page. He pressed the button, logged into Facebook and he was also logged into PhoneZoo.
Can you explain this a little bit about what's going on here and whether this means there is an increased security risk? If someone gets in his Facebook account, I would assume they could also get into his PhoneZoo account or any other website providing this access. Is this a trend and is there any way to avoid it?
In this excerpt from Answercast #27, I look at some of the risks involved in logging into other services using Facebook; it might not be what you think!
It's definitely a trend and I will say that my tendency is to avoid it. The risk you run is exactly what you've just described: if someone gets access to your Facebook account, they now have access to all of the other accounts with which you've used Facebook as the login technique.
Most of those sites that provide Facebook as an alternative login do just that.
You can usually still create an account that is unique to that site. So for example, at PhoneZoo, you can just login to only PhoneZoo and use that login which is completely unrelated to Facebook. It means having a separate login and for everything (which I prefer), because it means that these services are more isolated from one another.
You are not subject to this service being cracked, then suddenly allowing access to the others.
Now to be fair, that's actually not the case in most situations.
When you use Facebook to login to a third-party site, that site does not get your Facebook password. They simply ask Facebook, "Let this guy login; let me know when he's logged in; and then give me some kind of a token that lets me refer to this person." They do not actually get your Facebook login or your password. They may get the email address that you use, but not the password.
So those sites being hacked isn't so much an issue... as your Facebook account itself being hacked.
As I said, it does seem to be a trend; and it does seem to be a trend that some people find very comfortable.
The reason that this is an interesting thing to understand is that it is exactly the opposite of what I'm looking for.
A lot of people don't want to have multiple logins to multiple accounts, I mean, let's face it; it's a hassle to manage all those usernames and passwords. If instead, you use Facebook to login once, and then have Facebook manage what you can do on these other sites, you've basically reduced what you have to keep track yourself all the time.
Log into Facebook and you're automatically logged into all these other sites and it's great in that sense.
The good news is that in Facebook Account Management, you can disable each account one by one.
So for example, you've logged into PhoneZoo using Facebook. Five months from now, you decide you don't want to have that association anymore: you don't want Facebook to be the login, the credential manager for your access to PhoneZoo. You can go into Facebook in your User Account and turn off that permission for PhoneZoo specifically.
Finally, one thing I do want to point out is that if you have an account on a service (like PhoneZoo), that is specifically for that service (such as the one that your son couldn't remember). If you then login using Facebook, you have set up a separate account; the two are not related.
There's no way for PhoneZoo (or any of these services) to associate an existing account that they have setup with a Facebook account that you then use to login later.
Anything you have associated with that account (that you originally set up, like the one to which your son lost his password) is actually all lost. The old information is still associated with that old account... but if he can't login to into it, he can't get into it.
The Facebook account is a brand new account that he has now set up from scratch, once he has given PhoneZoo permission to login to using his Facebook credentials.
Next from Answercast #27 – Why does IE give me the spinning circle for a while when I click on a link?