Social Login - Sign In with Google, Apple, and More

About 2 min read

Social login is a mechanism that lets you log in to external services using a social media account such as Google, Apple, or Facebook. Users do not need to create a new password and can start using a service easily with their existing account information. Technically, it is based on the OAuth 2.0 and OpenID Connect (OIDC) protocols, and its major characteristic is that authentication is completed without entrusting a password to the service.

How OAuth 2.0 / OpenID Connect Works

Behind social login, the OAuth 2.0 Authorization Code Flow is at work. When a user presses the "Log in with Google" button, they are first redirected to Google's authentication screen, and once the user grants permission, an authorization code is returned to the service. Using this authorization code, the service obtains an access token and an ID token from Google and receives the user's identifying information (email address, name, and so on). What matters is that the service never touches the user's password. Because password verification is completed entirely on Google's side, there is no risk of the password leaking even if the service's database is compromised.

Differences Between Google, Apple, and Facebook Login

Even within the same social login, providers differ greatly in their stance on privacy. Apple's "Sign in with Apple" offers a relay feature that hides the user's email address, so only a random email address is passed to the service. Google login shares your email address and profile information, but the user can finely control the scope (the range of what is shared). Facebook login has historically tended to demand broad data access, and in the 2018 Cambridge Analytica incident it came to light that the data of tens of millions of people had been illicitly collected through social login. The choice of provider should be made carefully not merely for convenience but also from the standpoint of protecting privacy.

The Trade-off Between Convenience and Risk

The greatest benefit of social login is relief from password fatigue. The average user is said to have more than 100 online accounts, and unless they use a password manager, reusing passwords becomes the norm. Social login mitigates this problem but creates a different risk. The most easily overlooked is the excessive granting of permissions. At login you may be asked for unnecessary permissions such as "access to contacts" or "viewing your posts," and granting them carelessly causes your personal information to be shared broadly. Please also refer to the article that explains the risks of OAuth permissions in detail.

For balancing authentication and privacy, web authentication security books (Amazon)are also a helpful reference.

Risks When a Social Media Account Is Suspended

With services that depend on social login, there is a danger of losing access in a chain reaction if the social media account is suspended or deleted. Account suspension on social media platforms can happen without warning, and it is not uncommon for an appeal to take several weeks. During that time, services accessible only via social login become completely unusable. As a countermeasure, it is important to set up an alternative login method using an email address and password after registering with social login. As with single sign-on, a design that avoids a single point of failure is required.

The Privacy Perspective

When you use social login, the social media provider can track which services you log in to and when. This is a form of cross-site tracking and may be used for ad targeting. From the standpoint of privacy regulations such as GDPR, it is important for users to accurately understand the range of data shared through social login and to make a habit of refusing unnecessary permissions. In the privacy settings guide, you can learn how to manage permissions on each platform. In phishing attacks, a technique of displaying a fake social login screen to steal access tokens has also been confirmed, so always verify that the URL of the login screen is legitimate.