Do third-party login tools make your site vulnerable?

10 Dec 2014

On the web, we're now in the age of "Log in with Facebook" and "Log in with Twitter." Often, this is seen as a convenience to users; if your target audience already uses a particular platform, especially if the content stored in that platform might improve the user's experience, does it make sense just let them "log in with X"? Are there any security risks associated with using OAuth (or its less-well-known cousin, OpenID), rather than maintaining your own database of user accounts?

The short answer is "no, not really," but of course this comes with a few caveats. Ultimately, there are security risks inherent in both approaches.

Storing passwords demands responsibility

We'll start off with a security argument in favor of using third-party authentication. If you maintain your own database of user accounts, you are responsible for keeping this information safe. And it's not just a username and password we're talking about here. Most likely, you also store a user's email address, so you can let them reset their password. You may even store their mobile number if you support two-factor authentication.

Rolling your own system requires maintenance

While this isn't necessarily a security topic, it can turn into one. Obviously, building an authentication system form scratch takes time, and if time to market is critical, this may be time you don't have. However, once a system is running, any bugs that crop up are your responsibility and can turn into a security nightmare if not fixed immediately. Third-party authentication providers, on the other hand, have teams working daily to keep their systems secure.

Most OAuth providers are social networks

This is a security risk associated with using a third-party authentication provider. Social networks are among the most-attacked services, specifically because they contain so much valuable social data about people that make other hacking attempts easier. For instance, think about how many answers to security questions are published on your social media profiles (there will be another blog post soon specifically on this topic).

Single sign-on creates a Single Point of Failure

Both OAuth and OpenID are types of "Single Sign-On" (SSO) techniques: services that allow you to have one username and password that you use to sign into multiple services. While this is certainly enticing from the user convenience perspective, it also means that if your account is compromised, an attacker has access to everything you used that account to log into. In the case of a corporate intranet (the original SSO situation), the damage is relatively limited. However, with all the services that allow us to log in with our social media profiles, the damage can be widespread and difficult to track down.

The takeaway is that both authentication mechanisms have risks associated with them and, to a certain extent, it is as the Depeche Mode song says: "It's a question of trust." Who do you trust more to be a secure authentication provider: your IT maintenance team or a third party?