loading...

A good reason not to use OAuth only accounts in your apps

rhymes profile image rhymes ・1 min read

Or at least, not to use Facebook auth.

As you probably know Facebook just disclosed a data breach of at least 50 million accounts (likely many, many, more than that).

Amid of all the info that's coming out something caught my attention:

Which reminded me of this post by @michael :

There are advantages on using OAuth delegation to login your users, unfortunately this means that if such account is breached all those apps linked to it are vulnerable.

Although I haven't seen Facebook only apps/websites in a while, if you don't really trust the login provider (who trusts Facebook nowadays?), please provide an alternative path for your users's authentication.

ps. Facebook took three days to disclose this to the public

Posted on Sep 28 '18 by:

rhymes profile

rhymes

@rhymes

Software developer @ DEV

Discussion

markdown guide
 

True but you realize that still FB is more secure then any custom login system a small company can create.

I always choose oauth when possible, not FB of course but google, github, or based on auth0.

I would not trust a sensitive app with their custom login ... Especially without a 2auth factor.

 

True but you realize that still FB is more secure then any custom login system a small company can create.

Yes, but we have to consider a few things:

  • yes FB is technically more secure than example.com, but trust is paramount, if you don't trust them it doesn't matter if they have world class programmers working on security
  • yes FB is technically more secure than example.com, but example.com is not an app designed to siphon ALL of your digital footprint and then monetize it, so if an hacker breaks into example.com they are likely to find out way less information about the user xyz
  • the hack was going on for months, they just noticed it a week ago because of unusual traffic patterns

I'm also not saying that OAuth shouldn't be used, I'm saying that maybe using only OAuth is not a great idea. Depends on the case, you have to balance the attack surface with the user experience. I think websites should have both custom and OAuth login.

A website that only knows my email and encrypts my password could not be a huge deal if broken into. A website that knows everything about its users IS a huge deal if broken into.

Facebook should make SMS-less 2FA mandatory, for example.

 

I don't see a need for websites to keep your email or username in clear text... I prefer to store them hashed, just like we do with passwords.

This way a compromised database with username, email and password is not that useful to an hacker regarding this specific hashed data.

So how do you propose to reset your password? or how would they contact you?

No need to contact me, they just need to provide the email and everything will work as usual.

When they provide the email it is hashed as if it was to store in the database and then you try to find that hash in the database and on success you send an password recovery email.

The only limitation here is the user cannot recover the password by using only the username, it must provide always the email.

There are many needs to contact you, from legal reasons to subscriptions, payments, notifications even data breaches alerts. If you have a customer you need to have its contact details.

Its common sense and most of the time a legal obligation.

So I can login into your account anytime because I know your email?

@BG Adrian

If you have legal obligations to keep or really need it for contact purposes then yes you would need to keep it in plain text.

Bu if you only need it for login purposes or to send notifications while the user is logged in then you can store the emails as an hash in the database.

@rhymes

If you can login into my email account then you can, otherwise you can't.

When I said that would work as usual I am referring to the normal process of recovering a password where an email is sent to your email account with a unique link that normally also as a short expiration time.

Ok sorry, I misunderstood,I was thinking of passwordless logins.

 

OAuth was initially just a way for other websites to access data on Twitter and Facebook without asking their users for passwords which obviously is dangerous. This was then expanded to a vision of a network of distributed identity providers and identity consumers. In reality, it never really grew out of Twitter and Facebook, since the biggest identity providers are also the biggest identity consumers: one's identity is inherently defined by its relationship to other identities. So it really ended up becoming an alternate LDAP.

 

The OpenConnect part of distributed identity was kinda "lost in translation" :-(

 

I think the OpenConnect part is nicely translated, because OpenID still works as designed, and we do have different ID providers competing, like Google, Twitter, Facebook, Microsoft, GitHub, etc. However, I believe that trust cannot be decentralized to the point of a social Web Of Trust.

Way before the Internet, the trading market is a decentralized network. It started as community markets, then those networks connected through agents, which developed into brands and corporations. From the retail network emerges Walmart et al. From the animal farming network emerges Tyson et al. From the stock market emerges NYSE et al. From the personal homepages emerges Facebook et al. From the datacenter network emerges AWS et al. and Cloudflare et al.

In the end, our brains are limited in memory, our actions are limited in time, and there is a limit to how many connections we each can manage. This limit is called Dunbar's number, and is proposed to be between 100 and 200. Beyond that, we start to need rules as the basic consensus upon which we can interact. We need central authorities to create, update, and enforce those rules. When a network of such authorities forms, a higher authority would emerge so that the authorities have a basis to interact upon.

I think OpenConnect has done a good job. The rest are on the researchers of distributed contract systems, and artificial intelligence systems. Maybe we will make such a very perfect distributed system. We will for sure name it SkyNet.

 

Duly noted as the webmaster of an Oauth-only app. We have good reasons for restricting to existing social profiles for spam/harassment purposes, but I think we should build the path for signing in and maintaining accounts via email/password.

 

How about "simply" social + 2FA? Google Authenticator & Yubikey ftw.

 

Facebook took three days to disclose this to the public because that was the maximum amount of time they could wait under the GDPR. They notified the FBI the day before.

But, y'know, they also prevented people from posting the Guardian's article about the breach on Facebook. Their super smart AI that's going to solve and automate global content moderation marked the hot news as spam because a lot of people posted it. As if it wasn't manually added to the spam filter.

 

Yeah, that too. BTW also Zuckerberg's and Sandberg's accounts were breached. I noticed a tweet from the head of the FTC asking for answers.

I hope they get regulated, fines are meaningless

 

A fine means "legal for rich people," and they're particularly ineffective against corporations. :/ Putting teeth back into our regulations is the only way forward, I agree.

 

I'm personally against OAuth, especially for sensitive applications.

Not particularly against it, but I refuse to use it. XD