Social login

Last updated

Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google, to login to a third party website instead of creating a new login account specifically for that website. It is designed to simplify logins for end users as well as provide more reliable demographic information to web developers. [1]

Contents

How social login works

Social login links accounts from one or more social networking services to a website, typically using either a plug-in or a widget. [2] By selecting the desired social networking service, the user simply uses his or her login for that service to sign on to the website. This, in turn, negates the need for the end user to remember login information for multiple electronic commerce and other websites while providing site owners with uniform demographic information as provided by the social networking service. Many sites which offer social login also offer more traditional online registration for those who either desire it or who do not have an account with a compatible social networking service (and therefore would be precluded from creating an account with the website).

Application

Social login can be implemented strictly as an authentication system using standards such as OpenID or SAML. For consumer websites that offer social functionality to users, social login is often implemented using the OAuth standard. OAuth is a secure authorization protocol which is commonly used in conjunction with authentication to grant 3rd party applications a "session token" allowing them to make API calls to providers on the user's behalf. Sites using the social login in this manner typically offer social features such as commenting, sharing, reactions and gamification.

While social login can be extended to corporate websites, [3] the majority of social networks and consumer-based identity providers allow self-asserted identities. For this reason, social login is generally not used for strict, highly secure applications such as those in banking or health.

Advantages of social login

Studies have shown that website registration forms are inefficient as many people provide false data, forget their login information for the site or simply decline to register in the first place. A study conducted in 2011 by Janrain and Blue Research found that 77 percent of consumers favored social login as a means of authentication over more traditional online registration methods. [4] Additional benefits:

Targeted Content
Web sites can obtain a profile and social graph data in order to target personalized content to the user. This includes information such as name, email, hometown, interests, activities, and friends. However, this can create issues for privacy, and result in a narrowing of the variety of views and options available on the internet.
Multiple Identities
Users can log into websites with multiple social identities allowing them to better control their online identity. [5]
Registration Data
Many websites use the profile data returned from social login instead of having users manually enter their PII (Personally Identifiable Information) into web forms. This can potentially speed up the registration or sign-up process.
Pre-validated Email
Identity providers who support email such as Google and Yahoo! can return the user's email address to the 3rd party website preventing the user from supplying a fabricated email address during the registration process.
Account linking
Because social login can be used for authentication, many websites allow legacy users to link pre-existing site account with their social login account without forcing re-registration.

Disadvantages of social login

Utilizing social login through platforms such as Facebook may unintentionally render third-party websites useless within certain libraries, schools, or workplaces which block social networking services for productivity reasons. It can also cause difficulties in countries with active censorship regimes, such as China and its "Golden Shield Project", where the third party website may not be actively censored, but is effectively blocked if a user's social login is blocked. [6]

There are several other risks that come with using social login tools. These logins are also a new frontier for fraud and account abuse as attackers use sophisticated means to hack these authentication mechanisms. [7] This can result in an unwanted increase in fraudulent account creations, or worse; attackers successfully stealing social media account credentials from legitimate users. One such way that social media accounts are exploited is when users are enticed to download malicious browser extensions that request read and write permissions on all websites. These users are not aware that later on, typically a week or so after being installed, the extensions will then download some background Javascript malware from its command and control site to run on the user's browser. From then on, these malware infected browsers can effectively be controlled remotely. These extensions will then wait until the user logs into a social media or another online account, and using those tokens or credentials will sign up for other online accounts without the rightful user's express permission.

Aggregating social login

Social login applications compatible with many social networking services are available to web developers using blogging platforms such as WordPress. Companies such as Gigya, Janrain, Oneall.com, Lanoba.com, and LoginRadius also provide single solution social login services for web developers. These companies can provide social login access to 20 or more social network sites. [8]

Security

In March 2012, a research paper [9] reported an extensive study on the security of social login mechanisms. The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, Janrain, Freelancer, FarmVille, Sears.com, etc. Because the researchers informed ID providers and the third party websites that relied on the service prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported. [10] This research concludes that the overall security quality of SSO deployments seems worrisome.

Moreover, social logins are often implemented in an insecure way. Users, in this case, have to trust every application which implemented this feature to handle their identifier confidentially. [11]

Furthermore, by placing reliance on an account which is operable on many websites, social login creates a single point of failure, thus considerably augmenting the damage that would be caused were the account to be hacked.

List of notable providers

Here is a list of services (commonly social networks) that provide social login features which they encourage other websites to use.

See also

Related Research Articles

<span class="mw-page-title-main">Captive portal</span> Web page displayed to new users of a network

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

Digital identity is the phrase referring to the data that computer systems use to identify individuals, organizations, applications, or devices. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

A Google Account is a user account that is required for access, authentication and authorization to certain online Google services. It is also often used as single sign-on for third party services.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

Google Friend Connect was a free social networking site, active from 2008 to 2012. Similar to Facebook Platform and MySpaceID, it allowed users to build a profile to share and update information through messaging, photographs and video content via third-party sites which acted as a host for profile sharing and social exchanges.

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

Apple ID is a user account by Apple for their devices and software. Apple IDs contain the user's personal data and settings. When an Apple ID is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple ID.

<span class="mw-page-title-main">Microsoft account</span> User account required for Microsoft-owned services

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

Mozilla Persona was a decentralized authentication system for the web, based on the open BrowserID protocol prototyped by Mozilla and standardized by IETF. It was launched in July 2011, but after failing to achieve traction, Mozilla announced in January 2016 plans to decommission the service by the end of the year.

Google APIs are application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services. Examples of these include Search, Gmail, Translate or Google Maps. Third-party apps can use these APIs to take advantage of or extend the functionality of the existing services.

<span class="mw-page-title-main">SQRL</span> Draft open standard for identity verification

SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

<span class="mw-page-title-main">Janrain</span> CIAM start-up based in Portland

Janrain, sometimes styled as JanRain, is a customer profile and identity management (CIAM) software provider based in Portland, Oregon, United States. It was established in 2002. Akamai acquired Janrain in January 2019.

Digital identity is used in Australia by residents to validate who they are over digital media, such as over the Internet.

Sign in with Apple is a single sign-on provider operated by Apple Inc., introduced on June 3, 2019, at Apple's 2019 Worldwide Developers Conference (WWDC) in iOS 13.

References

  1. Social Login: A Data Capture Game Changer(accessed 21 December 2011).
  2. Ngemera, Eusebius (2017-01-31). "Social Logins—what info you give away!". eusebius.tech. Retrieved 2017-05-06.
  3. "Integrate Social Networks with your Corporate Website with Social Sign On" - Altimeter Group, September 27, 2010
  4. Social Media Marketing: Social login or traditional website registration? MarketingSherpa, January 12, 2012
  5. "The Social Web's Big New Theme for 2011: Multiple Identities for Everyone" - AllThingsD, January 1, 2011
  6. Laurenson, Lydia (3 May 2014). "The Censorship Effect". TechCrunch. Retrieved 27 February 2015.
  7. Safruti, Ido (18 October 2017). "Simple Social Login for Users and Attackers". infosecurity. Retrieved 14 November 2017.
  8. List of Social Login Providers, Janrain
  9. Rui Wang; Shuo Chen & XiaoFeng Wang (May 2012). "Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services".
  10. "OpenID: Vulnerability report, Data confusion" - OpenID Foundation, March 14, 2012
  11. "Social Login Setups – The Good, the Bad and the Ugly" - CloudRail, August 2, 2016

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.