2y ago

Why you should never use Facebook or Google to log in to third party websites - what to do instead

tilvids.com

36 comments

This is bad advice. Federated identity and oauth are great tools. You need to use the right identity provider.
When some random website gets hacked and has its authentication database dumped your credentials won’t be in there.
You can see what a website has access too from your identity provider.
It’s federation. It’s a trust model. Like the fediverse.
- The biggest reason not to use a single account like this is that you lose everything if you lose the owning account. It’s bad advice to say you should absolutely do one or the other. It’s good advice to consider the risks.
  
  So you create a new email for every account you make?
- deleted
  
  They handle it better and your options to respond are better.
  You can immediately invalidate all associations for instance. You can revalidate them too once your identity provider is back up and running. Okta is going through this right now I believe, but I haven’t been paying a whole lot of attention to it.
  There’s no password with federated sites. It’s certificates to prove the connection is valid, and tokens.
  The federated website could chose to save nothing about you. It would make it a lot easier for them to do so, as it means less resources to manage, and less PII to be concerned about storing.
- What’s considered a good id provider?
  
  One you have a business relationship with. You can sign up for a paid account with google or Microsoft. Use your own domain. Disable what ever adware options you’d like, and use that as your identity provider.
  While you can roll your own, many services if they even support custom saml federation only do so for enterprise customers. You’re much more likely to find useful federated services with google or MS.
  I would never recommend Facebook.
Seems someone doesn't understand how OAuth works. It does not automatically give full access to your social media accounts, location history, and device cameras as the video says.
Using the Google button for instance will tell you exactly what permissions are being requested every time you login. Generally, it will be name, email, language, and sometimes profile picture. Aside from the profile picture you would give all the same information anyway to create an account. At least with OAuth there is no worry about passwords, especially for people who don't have good password practices and reuse passwords between different sites.
- What caught me most off guard was him saying that OAuth somehow grants sites access to your camera. That's a permission controlled by the browser and not at all related to OAuth.
- I've always had this question. When I login with Google, I know what data the website will get from my Google account. But what data can Google get from the website and my usage of it, if any? (besides, of course, that I have an account on said website).
How about a headline that’s not pure clickbait.
- NEVER CLICK THESE ↪️
- How else would you attract the paranoid weirdos.
What to do instead - be a normal human and create an account at the website.
- After generating a unique email and password combination for said website.
  
  ...then storing that information in Chrome's auto-fill because that's way too much to remember. And the circle is complete.
  
  https://www.guerrillamail.com/
- And get your login details stolen because they didn't hah and salt passwords correctly when the site is almost immediately hacked.
  
  random password, email alias
I just went through yesterday and killed a couple of these. Unfortunately, Airbnb retained my photo after I pulled the permission.
Mango
- Such is

36 comments