

Ask HN: Is social login akin to "same password everywhere"? - phantom_oracle

I was just thinking about this. Practically every site that has read some marketing opinion that you can signup users faster by using social login, enables people to create profiles on their websites&#x2F;services.<p>Based on that, it also occurred to me that compromising that single social account will in fact compromise practically all accounts linked to it, and those linkages are not hard to find either.<p>What do you all think of social login?<p>Is it simply the fancy version of &quot;same password everywhere&quot;?
======
onion2k
Not really. With social login the security of the user's accounts across all
the things they log in to is based on the security of the social provider they
choose. So, if my chosen provider is Twitter, the security of all the web
services I use will be compromised if Twitter's security is breached.

In the case of using the same password everywhere, the security of all the web
services I use will be compromised if any one of those services is breached.

It's one point of failure from a trusted source versus _n_ points of failure
from multiple untrusted sources. That's a pretty big difference.

------
Piskvorrr
You are indeed delegating the identification and authentication to one point,
and - by definition - introducing a single point of failure, yes. Then, it
depends how well your "single point" is protected.

I definitely don't recommend making your social network account into a single-
login point; if anything, using a dedicated, well-secured login service (such
as _a few_ of the OpenID providers) would be a better fit.

In social networks, an account compromise is more a question of "when" than a
question of "if."

------
YoAdrian
This is all essentially an implementation of "Open ID".
[http://openid.net/](http://openid.net/)

I was using Open ID through a particular website to log into about 10
different sites. That Open ID provider decided to shut down since so many
social networks were offering the same service. Now I mostly use Google and
Facebook (depending on what each site allows). If either of their log in
services become compromised, we have bigger problems.

------
facorreia
I think it is. I rarely use this option, preferring to create unique accounts
for each service. I suppose most people will just use their Facebook account
wherever they can and possibly think all those services are "Facebook"
somehow.

There is a trade-off between security and convenience and people are known to
choose the path of least resistance. So unfortunately, online security is not
great at this time.

------
phantom_oracle
Just considering it more deeply, I am wondering now how privacy policies are
affected if social network accounts/passwords are compromised, which leads to
'linked' accounts being compromised too.

