Over the summer Pokemon Go became one of the most successful mobile games of all time. You may have seen some of the alarming stories that the game required full Google account access, potentially allowing them to see and modify everything in your account.
It seems the problem was overblown and that Niantic was using an old version of Google’s shared sign-on service. They had never accessed more than your name and email address.
Once a fix was rolled out, everyone moved on. Despite scaring everybody, it did make people pay attention to what data they give away when using social logins.
What Are Social Logins?
You’ve probably seen the buttons before. You’ve try to login to a website and are presented with a collection of buttons that say “Login with…”
When you use one of those magical buttons, you login with an identity you have created on another site. This saves you from having to create yet another password for the new site.
There are two standards that make it easy for your favorite websites to add social login: OAuth and OpenID. OAuth allows you to authorize apps and websites to access your data from another website, whereas OpenID allows you to identify yourself to an app or website.
Google: What’s Connected?
Google holds an incredibly large amount of personal data, especially if you use their integrated services on an Android phone. Rogue apps can be a huge danger here, so it’s vital you protect your primary account.
After browsing the list of connected apps in Google’s Security settings, review what permissions an app has been granted. You can then remove any unused or suspicious looking apps.
Facebook: What’s Connected?
Despite the widely held view that Facebook doesn’t value your privacy, they actually give you the most options. Facebook lists the apps connected to your account, and you can edit which permissions you grant, even after first connection.
If you’ve been using Login With Facebook for a while then it’s a good idea to check that you are happy with the apps and the permissions they have.
Twitter: What’s Connected?
Twitter login is most widely used for publishing sites like Medium, where your real identity isn’t essential to the service. That doesn’t mean that you don’t expose a lot of information in your tweets. That said, unless you have a private account all of your tweets are public anyway. Still, it’s best to check for rogue apps so they don’t go sending malicious tweets on your behalf
Unlike Facebook you can’t go back and change which permissions each app has. Although you are able to Revoke Access to any apps you don’t want connected to your account.
Why Would You Want to Use Social Login?
Social logins really are as convenient and painless and the OAuth and OpenID creators imagined. Juggling a lot of passwords is the main culprit for poor security hygiene and reusing passwords across multiple sites. Using social logins reduces the amount of passwords you have to remember, and may keep you more secure in the event of a data leak.
Signing in with an OAuth provider awards an “access token” granting the app access to the approved information. This allows you to edit permissions when you login and potentially whenever you want in your account settings.
What About Your Privacy?
As the saying goes — if it’s free then you are the product. To get the speed and convenience of the improved login you do trade some amount of your data.
You should be aware that your provider will be tracking every site you use with their login. They won’t know what you do on that site, but they’ll know you were there.
Check Permissions With MyPermissions
The MyPermissions website is one of the easiest ways to view the apps you have connected to your social accounts. You can also download their iOS or Android app to monitor the permissions that your apps request. Unlike the system level permissions managers on iOS and Android, MyPermissions makes the process easier by grading each app.
I found that using the MyPermissions website was the best way to analyze the social accounts. Meanwhile, the mobile app was great at analyzing permissions granted to installed apps.
Don’t Get Hooked by Phishing
Attackers will commonly use a phoney website made to look like the login page of your social provider. The pop-up opens and you you enter your username and password.
This may mean your login information is compromised, allowing the hacker full access to your accounts. This becomes even more of a problem if you’ve used the same password on many sites. Phishing is becoming increasingly complex but you can learn to spot a potential attack.
Beware the Single Point of Failure
If you have used one or more providers to log into many sites, then you risk the Single Point of Failure (SPF). With password leaks happening all the time, it’s not impossible that your account might end up exposed. Having access to your primary login account would give the hacker access to all your connected accounts too.
Using two factor authentication is one of the best ways to protect your accounts against SPF. Many sites also allow you to create a local website password in addition to your social login. This means that you can disconnect the affected account after logging in with your email and password instead.
Delve Into the Details
Sometimes it’s easier just to stick to email and create secure passwords and store them in a password manager. No need to worry about remembering hundreds of passwords, and then you avoid some of the pitfalls of social logins.
Do you use social logins? Do you ever worry about your privacy when you do? Do you have a favoured login provider or would you rather stick with email login? Let us know your thoughts in the comments below!