Should You Sign On to a New App Using Your Facebook Sign In?
You’ve probably paused when a new site asks you if you want to use your Facebook login information. It feels convenient, but is it secure? Sure, you don’t have to create another account or remember a new password. Still, there are some risks and trade-offs involved. Let’s have a look at the pros and cons of this method, known as Single Sign On (SSO).
Facebook isn’t the only company that offers SSO. Depending on the kind of app you’re using, you might see options to use your Apple, Twitter, Google, GitHub, LinkedIn or another account to sign up. As all the services have similar pros and cons, for the sake of simplicity, the focus here is on using Facebook to sign in.
How does signing in with Facebook work?
Facebook Login works using a protocol called OAuth.
When you try to sign up to a site like Pinterest with your Facebook details, Pinterest sends a request to Facebook and asks it to verify who you are. When you log in to your Facebook account, it sends a token back to Pinterest confirming your identity and providing basic information like your name, profile picture, email address and birthday. This information is used to set up your new account so you don’t have to re-enter anything manually.
Most important, in this example, Pinterest never gets your Facebook password. It just receives a token saying that you logged in to your Facebook account and everything is above board. If Pinterest were to get hacked, the attackers wouldn’t be able to use your details to log in somewhere else.
If you work for a company that uses Federated Identity Management (FIM) for your business accounts, you already use something similar. In this case, logging in to your company’s server or VPN enables you to access other apps, like your email, CRM or calendar, without having to enter a password again.
Is signing in with Facebook secure?
If you have a strong password and use two-factor authentication (2FA), then using Facebook to log in to other sites can be very secure. It means you aren’t relying on the other site to keep your password safe in the event of a data breach.
However, using Facebook to log in to other sites creates a single point of failure. If a bad actor gets access to your Facebook account, they can then sign into all the other accounts you have connected to it. That’s an incredible security risk.
So, is Facebook Login secure?
It’s up to you. If using Facebook to log in stops you from reusing the same passwords on multiple sites or going with obvious, easily hacked passwords like “Pa$$word,” then it will make everything much more secure.
On the other hand, if you use an insecure password for your Facebook account, and you use Facebook to sign in to multiple other sites, then you’re leaving the keys to your online life sitting in your truck with a neon sign saying “steal my things”—and the window down.
Is signing in with Facebook safe?
Signing in with Facebook is safe, but there is the potential for scams. Hackers can set up fake sites that look like Facebook logins to try and steal your credentials. It’s a form of “phishing.”
Some of the big red flags are:
- The login URL is anything but “facebook.com.”
- The text, links or buttons look different than they normally do.
- Clicking a link doesn’t bring you directly to Facebook.
- The login page isn’t a new pop-up window.
You should only use SSO with sites you trust, so if you’re at all concerned, don’t enter your Facebook login details.
What information gets shared when I log in?
Facebook shares basic information from your profile like your name, email address, birthday and profile picture when you sign in with it. Some sites and apps will request more information, like your friends list or the pages you follow, though sharing it may be optional.
When you sign up using Facebook, the pop-up will tell you what data gets shared. Click “Edit Access” and you’ll be able to toggle off any optional data that’s requested.
Perhaps more concerning is what Facebook learns about you. It uses the sites you log in to and how often you log in to them (as well as any other information it can get) to build a profile about who you are—so it can show you ads.
Do I need to keep my Facebook account forever?
One of the biggest downsides to SSO is that it complicates your online accounts. If you use Facebook to log in to Venmo, for example, the two accounts are tied together and separating them will be a hassle and have unintended consequences.
I used Facebook to sign up for a lot of services a few years ago. Now, however, I’ve deactivated my account. I occasionally have to reactivate it to log in to an app I haven’t used in a while. Also, even if I wanted to, I can’t delete my Facebook account because I may need to use it to log in to something in the future.
It’s possible with most sites to add a password and move away from Facebook Login, but it’s inconvenient. And if you do delete your Facebook account prematurely, you might not be able to regain access.
Should I use single sign on?
Using Facebook Login, or any other SSO service, to sign in to third-party sites is a trade-off. If you have a secure Facebook account, it can be more convenient and secure than creating individual accounts for every site and app you use. But the status of your relationship with Facebook may be inextricably tied to these accounts.
If you’re prepared to use a password manager, you’ll get even more security and almost as much convenience. And you don’t have to be concerned about Facebook’s data privacy policies.
Product features may have changed and are subject to change.