Signing Into Websites With Google, Facebook is Good for Security

Being secure is not a sometimes thing, but an ongoing process. You aren't secure because you use a particular tool—you are secure because you apply a security mindset every day.

Take passwords. You hear the reminders all the time—don't reuse passwords across sites, applications, and services. Don't pick weak passwords. Use a password manager so that you can pick super-complicated passwords and not have to worry about trying to remember them. Turn on two-factor authentication wherever possible. These are all good pieces of advice to remember and follow. Earlier this week, my colleague Neil Rubenking took the password manager recommendation one step further and said signing in to third-party websites with your Google, Facebook, Twitter, or other social media credentials is a security risk. I don't buy that argument.

You've seen what I am talking about. While most services require you to create an account from scratch, there are sites where you can log in with your social media credentials. Expedia, for example, lets you log in with Facebook. Or Inoreader (my RSS reader of choice), which lets you log in with Google. This lets you skip the account creation process and just log in with an account you already have. Convenient, right? Very. Is it a security issue as Neil said in his piece? No.

Whenever I see a site that allows me to sign in with another account, I pick that option. I don't use my Facebook account to log in (sorry, Expedia), but if there is an option to use my Google account, I do. I have a strong and complex password and I also enabled two-factor authentication. So my Google account is as safe as I can make it, and I trust Google to take the necessary steps to keep my information secure. Nothing against Facebook, but I think I have taken better steps to protect my Google account than Facebook.

Do I Trust You? No
When I come to a site and I have to create an account, my first thought is, "Do I trust you?" Do I trust the site to keep my data safe? And I don't just mean passwords and credit card numbers. Do I trust the site to have taken the necessary steps to protect my phone number, mailing address, and my date of birth in its database? Honestly? For most companies, no, I don't. Application security is hard—most developers are still just learning secure coding practices—as is securing the database effectively. This is a work in progress, and many companies still aren't there in terms of security. Since I can't go around asking companies, "Do I trust you to keep my password secure and not have it stolen by hackers?" I take the easy path and assume I can't.

Remember the Gawker breach a few years ago? All those email addresses and passwords exposed because Gawker's developers didn't take steps to properly secure them. I am not saying Gawker was wrong—it is a media company and no one there imagined anyone would go after the site's commenting system. But it happened. As a consumer, I am not going to try to vet which companies are security-minded enough to trust their application and which aren't. I'm going to focus on who is doing the job right.

The important thing about signing on with my Google credentials: the site doesn't keep my password or other information. When I click on the Google+ button, I am redirected to a Google page, and I authenticate against Google's servers. Google then tells the site that yes, I am who I say I am and sends me back to the site. Which means my information stays with Google and the site just gets a token which says "she logged in successfully, let her through."

Consider all the site breaches we've seen over the past two years. There are sites I sign up just to see what it is like, and then abandon after a few days because it isn't what I needed. If I created an account on the site, my information is in that site's database. Even after I abandon that site, my account lives on. (This is why I dislike sites that don't let you delete accounts, but that is a different story for another day.) That's a lot of potential places for my data to be stolen. If I use my Google account to log in, then the site doesn't have any information about me to get stolen. That's reassuring. If I abandon that site, Google lets me revoke account permissions so that no one else can log in as me. 

Let's talk about revoking. The entire point of letting Google, Facebook and Twitter handle logging in means you can also use them to block access. For example, I use Google to log in to Inoreader. Say I no longer want to use Inoreader anymore. I just go into my Google Account settings and click on "revoke access." And that's it. This is also why I use Twitter to sign into some sites. Twitter makes it extremely easy to disconnect applications once I am done.

My goal is to have as few databases as possible in the world containing a record with my personal information.

Another thing I like about signing in with Google: account-specific passwords. I generate a random password, which Google now knows is the password for that site. That password works only for that site and doesn't give access to anything else. Instead of generating passwords through a password manager and creating a brand-new account, I keep the process with Google. I use a password other than my email password and I am skipping the whole process of creating the account by sticking with Google's mechanisms. This is quite handy if I am signing into a mobile app, for example. Google now knows how to verify my identity, and like the regular sign-in, I just revoke the password and that app can no longer sign in.

Stick With Who You Trust
Neil asked a very good question: ask yourself whether that site needs to know anything about you. Does the site about you need to know your name, email address, physical address and phone number, or any other profile information? If it doesn't, don't hand it over. Keep it with who you trust.

If your Facebook password is "Password1" and someone with nefarious intent figures this out, then yes, that person can go ahead and can sign in to any other site you've linked with your account. But how is that different from you having selected "Password1" for that site to begin with? If you are using an easy-to-remember password for your email or social media site, then you are likely not using a string of hard-to-remember-characters for your frequent flier miles account, right? So it's that weak password that's screaming "Hack me!" not the fact that you signed in with a different account. And if someone has figured out your Google password, I don't think your biggest worry is whether that person can now log in to your linked accounts. Not when it's so easy to just ask for password reset emails.

Security doesn't have a magic bullet. A given tool can be used for both good and bad. It's all in how you approach it. My preference is to stay out of databases. What's yours?