This is a transcript of episode 74 of the Let’s Get Data-Driven Podcast
I’m Lanie Lamarre and I think pumpkin spice is over-rated and molasses cookies are under-rated – come at me, brah! Choices can be hard, and knowing which login option to choose can definitely be a head-scratcher but we’ve got each other, boss, and I’m here to make your next choice easier when you’re wondering if you should create new accounts using your email or if it’s better to use those “Login with Facebook” or Google buttons that will auto-magically create those same accounts for you.
You’re on a website and you’re prompted to create a new account and you have some choices. You can either use the “Log in with Facebook” or “Log in with Google” buttons or you can manually enter all your personal information by registering for a whole new account using your email address and jumping through the hoops of validating your identity.
There are pros and cons to selecting either option so let’s get clear as to what exactly is happening when you create new accounts in these ways so you can make some informed decisions about which option is best for you.
HOW IT WORKS
And to do that, we’re going to start by getting clear as to how this all actually works and it works based on technology called Open Authentication – or what cool kids like us call OAuth – and Hewlett-Packard defines it as “a technological standard that allows you to share information between services without exposing your password. It’s a widely-adopted standard that’s used by developers of websites and apps, and you probably use services every day that utilize OAuth.”
Instead of having to create a new account with a new user name, another password, typing in your personal information, verifying you’re not a bot and replying to the email to further validate your identity, you can just let Facebook or Google or whichever button you select do all of that information trading for you.
The biggest advantage for you is that you don’t have to create this whole new account from scratch. It’s not just about the time it takes to create this account by using your email address, but it’s also that you have one less password floating out there and that can definitely be a good thing. Should that website experience a data breach where your account information is exposed, the password you used to create that account won’t end up for sale somewhere on the dark web (and for those of you who re-use the same password on multiple accounts, this most certainly is advantageous… although I would suggest mixing up your passwords as much as possible because it does create risks that we can maybe talk about on another episode.)
On a similar note, in case you’re wondering, the answer is “no” as to whether Facebook or Google share your profile password with this new website or third-party app you’re registering the account using those profiles; your original profile password information stays within those initial accounts and is typically not shared with this new account you’re creating (but we’ll talk about that a little more later.)
Another advantage to using the “Login with…” buttons is when you’re using two accounts that interact with each other. For instance, when you’re using a social scheduling tool, you don’t want to have to share your Instagram password with your scheduler to ensure it has access to your platform, but OAuth technology allows you to sync and connect your accounts without having to enter those sensitive details.
Can this daisy-chain of accounts backfire on you, though? Well, of course it can!
Whichever of the profiles you’re using that has the highest security risk also represents the weakest link in your daisy-chain of accounts. If your Facebook account gets hacked, for instance, that hacker now also has access to all of the accounts you created using your Facebook profile.
Another disadvantage is the exact flipside to its advantage: yes, your third-party account gets created auto-magically and you didn’t have to jump through all the hoops… but that’s only because your profile jumped through those hoops on your behalf. You may not have entered this information into your new accounts creation but data about you was certainly collected and you can expect that more is being shared about you than you would have voluntarily entered if you had create the new account on your own.
What type of data? Information like your name, your birthday, your contact list, your messages, your photos and a slew of other personal data that your profile is populated can be shared with this third-party website or app once you consent to creating your account in this way. You may even be granting them access to post content to your Facebook profile on your behalf, or if you’re using Google, you may be granting them access to your Calendar AND your email AND your Google Drive, so you want to pay attention to what exactly is being accessed before you give your permission. You’ll generally be alerted as to what you’re giving permission to access in the little pop-up asking you to consent so keep your click-happy finger in check and actually read through what you’re agreeing to. I mentioned earlier that your actual password doesn’t typically get shared but that’s where you have some work to do, because it’s up to you to read what exactly you’re agreeing to when you’re providing your consent.
A little #protip about which option to select: it’s worth thinking about which accounts and profiles house the most and the least personal information when you’re making your selection as to which profile you want to use to login with. For instance, Facebook has a lot more personal information about you at its disposal to share than say, your Pinterest account does. After all, your Pinterest account probably doesn’t have access to your phone photos the way Facebook does and most people aren’t using Pinterest DMs the way they do Facebook Messenger.
Let’s be honest: companies like Facebook and Google are far less likely to be hacked than a small website or third-party app is, so there is some security to be had with creating accounts using those profiles instead of creating a whole new, unique account that is probably easier to hack. As always, though, human error is probably the biggest vulnerability you’re dealing with (pesky humans!) and I hate to break it to you, but you ARE only human.
If you choose to use these profiles to create new accounts, don’t be “that human” who becomes the reason their own information was exposed. Choose unique passwords on these platforms – no recycled passwords on these accounts, please – and for the love of everything good, turn on your two-factor authentication.
Is it a pain in the booty to have to login to your account twice every time you do login? Yes, of course, and that’s the point; if it’s an inconvenience for you to have an extra step of verifying your identity on your phone when you login to Google on your laptop, that means it’s a downright challenge for anyone else trying to access those same accounts for malicious reasons.
I’ll add to this that even if you are creating new accounts every time, and that you store all those user names and passwords in a password management tool, make sure your password management tool has two-factor authentication enabled. Yes, it’s annoying to have to login with a password and then reply to pop-up on your phone verifying that you were trying to access your account, but the internet is a bad neighborhood, kids, and you wanna make the effort of keeping your doors locked.
WHICH SHOULD YOU USE?
But all of this begs the question: should you login with your profiles or should you create a new account? I know you hate this answer – I hate it, too – but as always, it depends.
You have to account for the pros and cons when deciding what type of account to create. For instance, like our earlier example of using a social scheduling app, it would make sense to connect it to your Instagram profile because you’ll be syncing the contents of these 2 accounts in any case. Meanwhile, that free game you play on your phone while you watch Netflix (I know you. I play games when I watch Netflix too. Crosswords, usually) is asking you to create an account to ensure you don’t lose your progress, but do you really need that to be connected to your Google account and share all the personal information it contains? Probably not.
Likewise, you don’t want to connect anything related to financial details or social security/insurance numbers or anything like that. Before you make your selection, take a time-out to assess HOW you’ll be using this new website or third-party app you’re signing up for to make the right judgement call about the information it’s going to house on your behalf.
MITIGATING YOUR RISKS
Now what if you’ve already created a bunch of accounts using those login buttons but you’re feeling some type of way about it all? You can totally follow up on who and what you’ve authorized access to, and you can change those accesses.
For Facebook, go into your Settings > Settings & Privacy > Permissions: Apps & Websites. You’ll be able to see which third-party apps are active, which are expired, and you can remove who and what you no longer want to share.
For Google, go https://myaccount.google.com/security and look under Third-Party Apps to see and manage which apps have access to your account information
Let’s pretend for a second that you actually do read what you are agreeing and consenting to when you create accounts in this way; you can also expect to receive pop-ups and emails alerting you of privacy changes and changes to the terms of service to the accounts you’ve registered with. Pay attention to these and even if you don’t understand what the terms actually stipulate, it’s a good idea to treat these as a reminder to check in on the privacy settings you have on those accounts after whatever update they’re telling you about takes effect. You don’t have to be a privacy lawyer to check in on your settings and see if there’s anything you’re maybe less than comfortable with.
As an additional #protip safeguard that has nothing to do with your account creations but everything to do with the information you or someone else may have provided about you that you don’t necessarily want to have floating around, you can remove some of that information from Google Search results. To do that, go to https://support.google.com and in the search bar, enter the words “remove personally identifiable information”. You’ll then select that first option that shows up and follow the prompts from there to remove information you may not want search results to come up with, like your home address or your signature or your bank account or credit card numbers, just to name a few worrisome examples.
On a personal note, I’m always impressed by people who are like “I’ve never had a Facebook account” because it’s like, HOW are you able to even EXIST in this day and age without one? There are times where your existence on this earth is only validated by your having these accounts. I mean, have you tried creating a new account on AirBNB and booking a property for the first time without having it connected to Facebook? You may as well be telling the host you’d like to turn their house into a crime scene.
And that’s just one example of how these profiles validate our existence in the online world, both to others as well as the services we’re using, and it has its benefits but it isn’t without its shortcomings either.
I remind you of this a lot but you’re the boss, apple sauce, so it’s up to you to make the decisions that are best for you and how you want to operate.
Talk soon, baiieeeee!