I am sure you would have come across "Login with Google", "Login with Facebook", "Login with Twitter", and "Login with Yahoo" among others on the Internet. Well, logging in with one's social media account has become a norm nowadays with many users preferring to signup and/or login with their personal social media accounts on the Internet.
So, what exactly goes on when you signup or login with your social media accounts ? Well, it is called "Open Standard For Authorization" or simply known as OAuth. It is commonly used as a way for Internet users to log in to third party websites using their Google, Facebook, Twitter, Yahoo, et cetera accounts without exposing their password.
Generally, OAuth provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.
It has also become a common practice in the e-commerce space as well. If you have an e-commerce website just like a million (and counting) others, you are probably going to need to employ OAuth in your e-commerce website. I mean, wouldn't be easier for the customer to just login with their own Facebook or Google account to signup or purchase a good on your site without the hassle of registration ?
For an example, let’s say you want to register on cuteandfunnydogs.com to post your dog's awkward and funny moments.
In the regular way of doing things, cuteandfunnydogs.com would request that you create an account with them. That would usually require you to create another username and provide an e-mail address to which they can send a "user verification e-mail" to — just to make sure you’re a real human.
But, by simply using either Facebook or Google (or any other social media accounts) to sign in, both you and the site skip that process of e-mailing and human verification. Instead the site relies on those services to vouch for you and manage your account.
The important bit is this : the new site never gets your password.
In fact, once you login to cuteandfunnydogs.com, the site sends you to Facebook or Google, and you sign in with them. This social medias would then send a token back to the site that essentially says “Yes, this is a human and is who they say they are. You may proceed.”
Unless you’re using a password manager, the more passwords you create — and you should be creating unique passwords for every site you use — the more likely they are to be weak.
If one of these sites get hacked, the hackers will be able to piece together your patterns for creating passwords. Even worse, if you haven’t used unique passwords, now they basically have the key to all your accounts.
With Oauth, you can focus on making sure your password isn't weak— and then that will be the only password you would need to remember.
Most e-commerce website probably don’t have the resources to invest in their security at same level as the Facebook and Google.
And another way of looking at this is to ask yourself: do I trust this website to keep my information safe? Most likely you already trust Facebook and Google to do so more than some random small website.
In case of hacking, there’s very little lost. Remember, cuteandfunnydogs.com doesn’t actually have your password. They don’t actually have anything but a token that allows them to confirm your identity with Google or Facebook. If they get hacked, there is no actual account for your information to be lost.
For an example, even if cuteandcuteandfunnydogs.com gets hacked, or you’ve finally overloaded yourself with videos of cute dogs doing funny things, you can always just revoke their token and remove their access to your data.
No matter how strong a password you create, it is still not as good as adding a second method of verifying your identity. In most cases, this can be a simple time-based code sent to your phone via SMS or a voice call.
In fact, most of the services that offer OAuth such as Facebook, Google, and Twitter also offer two-factor authentication. If you haven't activated it yet, you should.
Well, usually we share pictures and comments on sites to be social, but it’s the networking appeal that makes sites worth revisiting. OAuth allows you to use one account to review and comment on several different sites, letting friends and readers from all sites trace you back to your preferred profile page.
Normally, the site you’re accessing with OAuth ought to get access some of your information such as your Facebook public profile and/or your e-mail address. At times, they may also have access to your friends' list and/or the ability to post to your wall.
Besides, some of your browsing/purchasing activity might also get posted on to you social media account (Facebook Profile). I.e., John Doe bought a XYZ dog biscuit or John Doe added XYZ dog collar to his wishlist.
If you choose to use a central hub to connect to all your other favorite sites, and the central account becomes hacked, or you simply choose to close the account, then the serious repercussions are felt across several sites instead of just one. I.e., you might not be able to delete your social media account that is being used for OAuth across various other sites.