How Secure Is an Identity Check Based on Social Login?

Why do experts believe social logins can boost user engagement and conversion rates? How secure is the login procedure?

Jan 11, 2023 - 3 min.
Picture of: Branka Miljanovic
Branka Miljanovic

Whether for computers, smartphones or online services of all kinds: the abundance of passwords and access data that almost every Internet user has to remember these days continues to grow. This bothers a great many users, who feel overwhelmed by a large number of passwords. The consequence? IT security is becoming increasingly annoying and is causing what is known as 'password fatigue' for the average internet user. This is when many users neglect data security and use the same password or a variation of it for most of the services they use. To counter this trend and enhance user security, many online platforms use what is called a 'social login'.  This replaces tiresome registration and login procedures with a Facebook or Google login, for example. But how secure is it for users to log in using social media on a platform operated by a third-party provider? And how exactly does authentication work? We explain all the important aspects of social login. 

A social login is a form of SSO (Single Sign-On). It allows users to log into the websites of a third-party provider using existing information from a social network such as Facebook, Twitter, LinkedIn or Google.  

How registration using social login works

Social login is one of the best-known forms of SSO and is widely used – especially by online retailers, streaming providers or internet fora. A website with a social login function allows users to click on a widget to connect to their chosen social platform. Standards such as OAuth (Open Authorization) are normally used here to exchange login information for social networks. If the user decides to log in using this type of OAuth client, a third party (such as Facebook, Google or Twitter) – known as the identity provider – is tasked with confirming the user's identity for the new service. This allows users to log into a new website with the help of an existing account with another provider. 

This login procedure – known as token-based authentication – makes it possible to use the account information from an identity provider without sharing the user's login data with the third-party provider. OAuth functions, in this case, as an intermediary and provides an access token to the third-party provider service that authorises the release of specific account data. As a result, the user does not have to register separately for the relevant website.

Advantages of social login

More and more users find the standard registration forms on websites and in apps to be tiresome and overly complex ways of registering with or logging into a website. The solution: Single Sign-On services like social login. In this case, users do not need to enter their own data, such as their name, e-mail address or telephone number, during registration. This saves time and increases the number of registrations for companies. The option to click on 'Log in with social media' gives users a straightforward and quick method of registering or logging in. Everyone will be familiar with this problem: it has been quite a while since a user registered with their favourite streaming service and received the message Login failed. Incorrect password. After then unsuccessfully trying all their standard usernames and passwords, many of them give up in frustration and leave the site. This is where a social login can help. It saves time and, most importantly, one's temper. 

The current security level of social logins 

According to estimates, social logins are used by more than 50% of internet users worldwide. Some experts believe that social logins can boost user activity and conversion rates since it makes creating and logging into an account easier. However, a survey on the use of Single Sign-On services in Germany shows that just 27 per cent of Germans used this type of social login via Facebook, Apple, Google and LinkedIn, etc., in 2022. But why is this? Are there any reasons not to use a social login? 

What critics fear most of all is that data security and protection are too lax. After all, if the password for one of these SSO accounts goes missing, this can have far-reaching consequences. If the data falls into the wrong hands, for example, due to a hacker attack, the thieves gain access to the respective user account and to all sites that offer this type of login option. 

However, despite these doubts regarding the security of SSO services, the protocols used to exchange data are considered to be secure. That's because, during the login process using this type of OAuth client, the new service never receives a password that it could subsequently lose or sell. Moreover, the risk to the user is minimal because they do not need to remember new access data and can enjoy a seamless authentication process. In reality, the greatest threat to IT security is sitting in front of the computer. That's because many users faced with an increasing flood of passwords are looking for creative solutions to streamline the login. Consequently, they use identical or very similar passwords across multiple sites. 

It is true to say that the more login data there is, the less secure the IT environment becomes. Therefore, reducing the profusion of passwords that we use today is essential.

 

Efficient and Secure User Authentication with Single Sign-On