
Why You Shouldn’t Use Facebook to Log in to Other Sites - petethomas
https://www.nytimes.com/2018/10/02/technology/personaltech/facebook-log-in-hack.html
======
newscracker
> When presented with different ways to sign on to sites, you can choose
> Google or Microsoft instead of Facebook.

> Yes, it’s possible those companies could be hacked one day, too. After all,
> Yahoo was hacked, as was LinkedIn, as was Equifax. But at this moment, a
> sign-on service by Google or Microsoft has one big advantage over
> Facebook’s: Those companies did not lose control of 50 million people’s
> accounts, and Facebook did.

This argument recommending Google or Microsoft is bad because it rests on the
fact that there was a breach on Facebook.

Centralized authentication mechanisms are bad because they magnify the issues
when breaches happen. At the same time, relying on each site/service to
implement authentication securely and also maintain it securely is a huge task
— something I believe the vast majority of SaaS platforms don’t focus on.

Just like it’s a good idea to use different passwords on different systems,
one should avoid using centralized authentication systems like Facebook,
Google, Microsoft, Yahoo, etc. This comes at the cost of convenience though,
because you can take this to the extreme of having unique login credentials
(user/password) for each service. Using a password manager helps on this front
to keep it easier to follow such an approach.

This is a serious topic that more people should be educated about.

~~~
pintxo
The usual argument being, that the large companies have the resources and
knowledge to implement and maintain a secure system. Which, compared to pretty
much any smaller company is somewhat likely.

But what gets overlooked IMHO is (a) there is also likely much more incentive
to hack Amazon, Google, Facebook then there is to hack any random webshop, and
(b) the power of meta-data (x uses services y,z regularly) we give into the
hands of large companies whose objective is the extraction of as much money as
possible out of their data (see loosely related:
[https://news.ycombinator.com/item?id=18085580](https://news.ycombinator.com/item?id=18085580))

My stance being that decentralization can solve (a) & (b) and the problem of
secure systems need to be solved by educating users and developers and at the
same time imposing sensitive regulations on the security to be expected from
any system on the internet.

------
laurex
The article's fundamental argument is that using any separate service to sign
in is a problem, and doesn't really distinguish between signing in with Google
or signing in with Facebook, yet many products with a huge need for security
(protecting PII of users) that I'm familiar with use Google sign-in. That
seems to indicate a fatal flaw somewhere, either in the writer's understanding
of Google sign-in, or the assumptions most companies are making about
security.

~~~
travbrack
It's silly. A security flaw could exist in any other oauth provider, or
password manager. I bet Facebook handled the incident better than many others
in the industry would have.

~~~
dvfjsdhgfv
> I bet Facebook handled the incident better than many others in the industry
> would have.

And you base this assumption on what grounds?

~~~
travbrack
Things I've read about their bug bounty program and things I've read about
other tech companies bug bounty programs. No, I don't have links.

------
rcthompson
Is there anywhere I can get a list of all the websites I've ever used my
Facebook account to log in to? I know I've done it for some of them in the
past, but I don't remember which, and if any of them are still websites that I
might use, I want to switch them off Facebook login so I can finally delete my
account (which I don't use for anything else).

~~~
kalleboo
Settings > Apps and Websites > Expired

~~~
rcthompson
Thanks, that's exactly what I was looking for!

------
gavanwilhite
Does anyone know if there is recourse to log into connected sites if your
Google or Facebook account is ever banned?

This is my primary fear in using those sign in methods.

------
dvcrn
Services that don't have options besides Facebook/Google are the best of the
bunch.

------
swarup182
What about google login ?

~~~
true_religion
Your company may require login via Google.

