Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
That's because most companies are not security competent. Sure I would never hand my data over to Facebook, but Google has proven they don't know what do with it anyway. Realistically you must trust some repository for storing access credentials. Using federated login is much safer than using Lastpass, 1Password, etc... If you want a privacy first federated login, come talk to me in a couple of months, Authress will have that capability.
If you don't use a social login, the site you are using will most likely leak all your data. And sure for a blog you can argue nothing bad, but a site that I put my credit card in, I would never trust that site to handle my data correctly. It usually ends up like this: Hacked home cams used to livestream police raids in swatting attacks.
For credentials, sure. But social login doesn't come with simply credentials storage but with an agreement to allow monitoring online behaviour to the extent that a user needs to put in place a lot of serious safeguards to protect their data and prevent traces, doubly so if they have social media presence.
Without social media profile, some generic data can be leaked, but it's much easier to prevent it even with basic modern browser enhancements.
Password storages, I trust (so far) which is why I prefer the password storages + generated password rather than social login.
Unless you mean biometrics, I don't see how that goes. Social login means the password is handled by Facebook. But it's still a password just somewhere else, incidentally with a bigger footprint, a bigger target both for hacking and phishing. I have nothing against providing social login as an alternative, just not a replacement for user password (with 2fa, maybe).
If there's a breach on their side, you can't do much except remove that provider.
That's because most companies are not security competent. Sure I would never hand my data over to Facebook, but Google has proven they don't know what do with it anyway. Realistically you must trust some repository for storing access credentials. Using federated login is much safer than using Lastpass, 1Password, etc... If you want a privacy first federated login, come talk to me in a couple of months, Authress will have that capability.
If you don't use a social login, the site you are using will most likely leak all your data. And sure for a blog you can argue nothing bad, but a site that I put my credit card in, I would never trust that site to handle my data correctly. It usually ends up like this: Hacked home cams used to livestream police raids in swatting attacks.
For credentials, sure. But social login doesn't come with simply credentials storage but with an agreement to allow monitoring online behaviour to the extent that a user needs to put in place a lot of serious safeguards to protect their data and prevent traces, doubly so if they have social media presence.
Without social media profile, some generic data can be leaked, but it's much easier to prevent it even with basic modern browser enhancements.
Password storages, I trust (so far) which is why I prefer the password storages + generated password rather than social login.
I would go password less for 2021, people are just dumb with passwords.
Unless you mean biometrics, I don't see how that goes. Social login means the password is handled by Facebook. But it's still a password just somewhere else, incidentally with a bigger footprint, a bigger target both for hacking and phishing. I have nothing against providing social login as an alternative, just not a replacement for user password (with 2fa, maybe).
If there's a breach on their side, you can't do much except remove that provider.
Totally agreed.