We’ve all used the “Sign in with Google” or “Log in With Facebook” buttons. Without providing our email or password, these apps allow us to gain access to sign up to a new account.
Yet, how does OAuth actually work, and how safe is it? In this post, I will cover both how OAuth works as well as the benefits and drawbacks of using it.
How Does OAuth Work?
Two-thirds of Americans report using the same password across multiple accounts, making them vulnerable to security breaches. Open authentication, or OAuth, via sites like Google and Facebook, gives users a more secure way to authenticate. OAuth (Open Authentication) is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” In other words, you can share information With websites or applications without giving away your passwords.
Instead of using a username and password, OAuth uses authorization tokens to prove an identity between a consumer and a service provider. OAuth allows you to approve one application interacting with another on your behalf. The simplest case is when you want to log in to a website with credentials from another site. The only piece of information the consumer site wishes to know is that you are the same user on both websites, and you have logged In successfully to the service provider website. For example, you are using an app that wishes to access your Facebook pictures. You are logged in to the service provider, Facebook. You grant permission to the consumer application to access your photos. Because OAuth is about authorization, or granting permission, instead of authentication, or proving you are the right person with email and password, you have peace of mind knowing that access to your data is limited and your login information is secure.
Benefits of OAuth
Using OAuth comes with a few benefits. First, OAuth allows third-party sites to gain access to your information, such as name and email, without giving away your password. This simplifies the login experience for you, allowing you to log in to multiple sites using one account. Not only do you now have one less password to remember, you can also log in much faster, with just one click.
In addition, signing up with OAuth allows you to skip certain questions, such as name and email. you can also control what information gets shared with the third-party site, giving you autonomy. Automatic syncing between accounts means that when you updates your information, such as name or profile picture, it is synced across all accounts. Lastly, 2-factor authentication offered by these sites, requiring login with two physical devices, adds an extra layer of login security. Compared with memorizing passwords used across multiple accounts, OAuth is a much simpler and faster alternative. Yet, by giving up so much control to a site like Google or Facebook, users must deal with certain tradeoffs.
Using open authentication comes with two main drawbacks. First, the more connected accounts you have, the more at risk you become if hackers gain access to them. By viewing your Settings, hackers could see what other accounts you now have access to. In addition, using OAuth sets up one single point of failure. If the OAuth site is down, you may lose access to all the third-party accounts connected to it. Though OAuth has many benefits in terms of making logging in quick and secure, having connected accounts also means greater risk if your login credentials fall into the wrong hands.
Conclusion
OAuth is a secure authorization method that makes signup and login much simpler for the user. by allowing passwordless authorization, you can quickly log into multiple accounts and limit the information you wish to share with each. However, in exchange for such ease, you must always be aware of the risk of losing access to all your connected accounts when the service provider shuts down. Thankfully, most service providers work hard to ensure that their systems are resilient to shutdowns, and OAuth is generally more secure than traditional authentication.