We’ve all been exposed to social logins. Social logins allow users like you and me to access websites or create accounts on websites by using existing social account credentials that we’ve already created with Google, Facebook, LinkedIn and many others. The idea behind the use of social logins is to simplify the sign-in and registration processes to provide seamlessness and convenience compared to having to create a brand-new, stand-alone account to register with a specific website.
For users, the frictionless experience that social logins offer is certainly attractive. After all, how wonderful is it to be able to bypass a website’s cumbersome registration process? Also, isn’t it so much easier to click on a Facebook button to log into any site that accommodates social login? At the end of the day, all you need to remember is your Facebook username and password everywhere you log in! But what if your Facebook account were compromised? Then, what is left of your social login experience?
For organizations, social logins have three main advantages: quick user onboarding, instant access to user data and streamlined user verification. Streamlined user verification… is that so?
Social login in a nutshell.
You can either leverage one of your existing social accounts credentials to log in or you can sign in manually.
Social login is powered by OAuth, which is an open standard for authorization. OAuth specifies a process for resource owners (app or website users) to authorize third-party (the app or website) access to their server resources without sharing their credentials. In other words, OAuth provides clients a “secure delegated access” to server resources on behalf of a resource owner. OAuth is used as a way for web users to log into third party web sites using their Facebook, Twitter, Google or Microsoft accounts, without worrying about their access credentials being compromised. Allow me to rephrase: while hoping that their access credentials do not get compromised.
Auth0 (not to be confused with OAuth), a third-party tool that provides authentication and authorization as a service, is the leader in social login integration for popular apps. Auth0 uses the OpenID Connect (OIDC) Protocol and OAuth 2.0 Authorization Framework to authenticate users and get their authorization to access protected resources. OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework that allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.
Social login diagram flow with Auth0:
- User visits an app or site and chooses a social network as a login option, for example Facebook
- User is redirected to a login dialog URL
- User accepts the dialog and is sent to redirect_uri with a code parameter included (access_token). Redirect_uri is an address used by OAuth providers as a location to deliver the code parameter by means of a browser redirect.
- The app or website gets the redirect_uri with the code parameter
- The app or website uses the OAuth code parameter to request user authorization
- The social media platform responds by sharing an access token so the user can log into the app or site.
Benefits of social login
Benefits of using social login are multiple for both users and organizations.
For users, they include (1) seamless sign-up, where third-party logins via social media accounts only require clicking on a few buttons, (2) decreased password dependence, since it is no longer needed to remember different usernames and passwords to access different apps and websites, and (3) enhanced usability, because social sign-in offers a standardized way to log in regardless of the app or site to access.
For organizations, social login means (1) accessing users data from the social media platforms leveraged to sign in to better understand their preferences and create customizable experiences, (2) free to inexpensive implementation through the use of APIs for each social platform, like Facebook Login and Google+ API, (3) facilitated customer onboarding by auto-populating users’ settings with information held in their social account, (4) elimination of overhead from failed logins, because users leverage their social login, (5) increased transaction volumes, since social login gives users the opportunity to simplify their checkout experience, (6) easier account linking, and (7) greater brand adoption, because a happy user who loves convenience is likely to continue using a product or service and stay loyal.
Social login: now, the obscure side
It’s pretty obvious that if you leverage your Facebook credentials to access a bunch of apps and website and your Facebook account suddenly gets compromised, then you’re in for quite an unpleasant ride. As a reminder, between June 2013 and December 2019, Facebook has experienced eight major data breaches compromising a total of 1.6 billion accounts. And those accounts opened with those apps and websites that use your Facebook login become compromised as well.
But there is especially one element that social login solutions present as a key-differentiator and that needs to be debunked immediately. They say that social login increases user verification. In other words, they stipulate that social login provides an additional layer of verification to confirm that access attempts are from real and trustworthy users. Thus, social login-based authentication also requires verification from the chosen social platform, which incorporates another line of defense against spam or otherwise harmful logins.
THIS IS NOT TRUE.
The reality is that social logins do not require that an applicant be linked to a specific real-life identity, which makes ID proofing impossible and, consequently, is highly problematic in terms of security. Employees and customers who use social login to access single sign-on apps to conduct business or shop, for example, cannot prove who they really are. Let’s face it, do you need to prove your identity when you open a Facebook account? You don’t. As a result, organizations cannot verify identity and truly assess the risks involved with maintaining a business relationship with a given customer, who leverages social login to transact online. To that effect, the use of a social media account for authentication only reaches the lowest level of identity insurance (IAL1) and authentication insurance (AAL1) per the NIST 800 63-3 guidelines.
Is it possible to make social login bulletproof?
The good news is that it is indeed possible to prove a user’s identity prior to the authentication process with social login.
First, usernames and passwords need to be eliminated in the equation. At the end of the day, 81% of data breaches are caused by poor password management.
Second, when the user creates an account with a social media platform, the platform needs to enroll the user by triangulating a given claim with a multitude of company or government-issued documents as well as sources of truth, including advanced biometrics. The verification process must include the use of verifiable credentials in their digital form. Only then can the use of a social media account for authentication reach the highest level of identity insurance (IAL3) per the NIST 800-63-3 guidelines.
Third, the authentication process must involve an advanced, unspoofable form of biometrics, like a liveness test to reach the highest level of authentication insurance (AAL3) per the NIST 800-63-3 guidelines.
Fourth, user data must be stored encrypted in a distributed ledger, which greatly minimizes the likeliness of a data breach.
And the other good news is that there are passwordless authentication apps that verify a user’s identity indisputably, leverage advanced biometrics for authentication, and store user data in the blockchain. I know, you’re wondering what social media platforms are waiting for…
To conclude: NIST IAL3 and AAL3 or bust
The level of sophistication with which cybercriminals are able to compromise users’ identities today is such that there seems to be no other option but to armor the verification process that pertains to a user’s identity in order to provide the most secure authentication process possible. As you now know, the solutions do exist and yet they continue to be discarded by some of the biggest online platforms like Amazon, Facebook and Google, among so many others. And there isn’t yet another data breach that deters those organizations from making much needed, drastic changes. This refusal or resistance to change impacts the way individuals like you and me interact with some of the most popular apps and sites that leverage social login, simply because our interaction is in no way secure.