Maintaining multiple accounts by remembering different passwords is a difficult and well-known problem. Many websites or online services allow you to use your Google, Facebook, and other accounts to Sign In. You must have seen links like below:
Signing In this way is called Oauth (Open standard for Authentication). Using OAuth, laymen sometimes feel insecure to Sign In as to why they are being asked to provide their Google or Facebook credentials (username and password combination is called credentials). In such cases, users have to sign up again to create and remember another set of credentials. So the point is, is using Oauth secure?
When you use OAuth, that website, say example.com, does not require entering the credentials, instead, they redirect you to a selected Oauth provider (e.g. Google, Facebook, or others). The Sign In form opens in a new window, before entering your credentials in the popup window, you must ensure the address appearing in the address bar is correct and not fake. Otherwise, you may end up providing your credentials to a phishing website that is developed to steal your credentials. Now we look into Issues with using OAuth.
Using OAuth, when you have enabled 2-Factor Authentication in the provider account, is much more secure than other alternatives to Sign In on multiple sites with one account. But if you Sign In carelessly, you may be in big trouble, below we explain this aspect of OAuth-based Sign In.
You must first understand the difference between authentication and authorization. Proving your identity i.e. you are a registered user and providing correct credentials to Sign In, is called Authentication. Successful authentication means the system has identified you as a registered user of the service. Authorization means what activities you are authorized to perform on the website e.g. a user may be authorized to moderate the comments but not authorized to publish new articles. In an online accounting system, a user may be authorized to record payments received from customers but not authorized to initiate amounts transfers from one account to another. But, why is it important to understand when using OAuth?
When we Sign In to a website (say example.com) using OAuth provider (say Facebook.com), after the Sign In window, Authorization (also called Permissions) Window appears that lists different permissions or roles example.com can perform on behalf of the user at Facebook.com. Or what type of user data example.com can access from Facebook.com
Usually, the sites ask for permission to read the email address, user name, and user picture but there are tens of more permissions that a website may ask for. If you allow those permissions by mistake, then example.com can operate your Facebook.com account automatically e.g. it can post on pages you manage, on your profile, or groups you are a member of. It can even access all your messages and delete your posts, can view or update the albums, etc, given you have granted related permissions. So, if you are using OAuth, be vigilant and do not authorize permissions or roles that can potentially make an issue for you or the roles you are not interested to authorize, especially at websites you do not trust.