There are tens of thousands of apps and sites (if not more) that let you sign in with your Facebook or Google credentials. It’s a faster way to log in — and saves you the pressure of having to create and remember countless different usernames and passwords. But do you really know what you’re signing over when you sign in?
Here are the basics.
Why use Facebook and Google to log into other sites or apps?
The easy answer here is convenience. Using your Facebook and Google logins saves you the effort of having to keep track of a bunch of different usernames and passwords for each app you sign into. (Because we all use unique names and strong passwords for each our various apps … right?) So rather than having to remember your login info for apps like Pinterest, Etsy, Trip Advisor or myriad other sites and apps you may visit on occasion, all you have to do is use one of the logins you already know by heart.
Another advantage is safety. When using Google or Facebook to log in, you’re leveraging the security infrastructure and protocols of those large sites, both of which monitor your account and flag suspicious activity and have better authentication capabilities than JoeShmo.com.
But what if your password gets stolen? Doesn’t that just give hackers access to everything instead of just one thing?
When it comes to Gmail, your password kind of already is a hacker’s way into everything. If a malicious actor gets your email password, he can request a password reset link for any apps you use. That will then be sent to the email he just hacked into. So, using your Google credentials to log in to other apps doesn’t present a new security threat beyond what already is possible for a hacker with your password.
How does it work?
In essence, Google and Facebook are vouching for you. When you choose to sign into an app with either Google or Facebook, the login dialog box that pops up is actually provided by that company, not by the app you’re trying to open. You put in your username and password and the site reports back to the app saying, “Yes, we know this person and have confirmed she is who she says she is. You may proceed.”
What information are they giving these apps?
At the very minimum, Facebook shares whatever is on your public profile, such as your name and profile picture. Google typically hands over either your email address or, as mobile becomes increasingly important, your phone number, giving the folks at the app the ability to contact you if they need to.
But both could provide more information than that.
For instance, Trip Advisor uses your Facebook friends to show you where people you know have traveled and which hotels and attractions they have reviewed.
If you sign into Uber with Google, the company shares your Google Wallet information for easy payments. Doodle.com, a scheduling site, asks for access to your calendars.
How can you control what information gets shared?
Facebook makes it fairly easy to grant or block access to certain types of information.
When you log into an app with Facebook, there’s an option to “Edit the info you provide.” Clicking the link opens a list of permissions, including your friends list, your birthday, your likes and email address. You can check or uncheck each piece of data to decide whether or not to share it. The only one you can’t uncheck is your public profile.
Google doesn’t have quite the same amount of flexibility, at least not yet. Typically, the app providers decide what information they are going to ask Google for and in most cases you can see what’s being shared, but there’s not a whole lot you can do about it. It’s kind of an all-or-nothing proposition.
Increasingly, apps are making it easier to control precisely what permissions you give when you sign in using your Google account.
But some sites and apps are starting to add the ability to cherry-pick. Doodle, for example, doesn’t ask for calendar access up front, but rather starts with your profile info and email address at sign-up and sends a separate request later to manage your calendars, which you can allow or deny. The Orbtiz and Etsy apps for Android also break up permissions on a need-to-know basis.
To review a list of third-party apps and sites that are connected to your Google account, go to the “Sign-in & security” section of My Account. As with Facebook, you can — and should, periodically — go through and remove any apps you don’t use anymore. But unlike Facebook you can’t get granular about which details get shared and which are kept private