At some point in your life, you have probably clicked Sign in with Google. Or maybe Sign in with Apple, Sign in with GitHub, or even Sign in with Facebook.
Yeah, this is really convenient. It’s cool technology. It makes your life and the developer’s life easier. Instead of having to remember a bunch of passwords, you can just authenticate with a single click with an account you’re already logged in to. Developers don’t have to worry about storing passwords, implementing password resets (email costs money to send), and so on.
The problem is trust. When you sign in with a password, you don’t have to put trust into external services.
But with social login, you do.
Basically, the service you’re signing in with has the keys to your account. This is a bit of an oversimplification, but it’s the gist of it.
So you have to trust that:
The service will keep your account secure
The service won’t exploit their control over your account
The service doesn’t ban you and therefore lock you out of all your accounts
But surely large companies like Google and GitHub are trustworthy. Surely they won’t exploit their control over your account. You aren’t doing anything illegal, so surely they won’t ban you.
Yeah that’s the fun part /s
So these companies probably won’t exploit their control over your account just for the fun of it. But they could, for example be compelled by a government to hand over your account. Then you’re screwed.
Oh and the banning thing? If Google bans you, you usually can’t get your account back. Even if you were falsely banned.
This has happened (Content warning for links: CSAM mentioned)
Something like this actually happened to me a while back, but with GitHub. My account was flagged as spam, locking me out of a bunch of services (about 80), one of which I had an active subscription that I had to cancel by contacting support. You can read more about that here.
So… what do we do?
Just don’t use social login where you can. Get a password manager and use it. I recommend Bitwarden (has free tier) and 1Password (paid). Always have backups. Other ways to access stuff.
If a site only supports social login, then try and link multiple accounts, just so you have a backup plan.
This is a hard one. As a developer myself, I usually use GitHub social login, just because its pretty easy to implement. I need to stop doing this.
I guess you can just go back to passwords, or use email codes/links.
If you must use social login, add multiple accounts and allow linking multiple to the same account.
Passkeys also are a good option, and they can even be used in a signup flow as a sole method of authentication (but don’t do this, they aren’t really ready).
Just add multiple options to log into accounts. And if you can, make sure its easy for support people to recover accounts if someone cannot log in using social login. Shoutout to the support teams at Sanity, Tailscale, and Convex for responding fast and helping me with account recovery/changing things like subscriptions.
Social login is convenient, but you are giving the keys to your account to a third party. Try not to use it as much as possible. If you must, link multiple accounts. As a developer, add multiple options to log into accounts.
Don’t put all your eggs in one basket. Don’t trust one company with all your accounts.
- Ingo