What Is Social Login and Is It Worth Implementing?
Social login, also known as social sign-in or social sign-on, uses information from social networking sites to facilitate logins on third-party applications and platforms. The process is designed to simplify sign-in and registration experiences, providing a convenient alternative to mandatory account creation.
- For users, social login is a frictionless method of accessing sites and apps—one that doesn’t require excess credentials and allows users to skip past cumbersome registration procedures.
- For developers and businesses, social login is an attractive feature that can help streamline user verification while also providing more reliable access to user data for personalization.
In short, social sign-on seems like a win-win for everyone. And while it’s true that there are strong benefits to social authentication, it does bring some data security risks. In this post, we dive deep into the features and considerations of social login so that you’re best equipped to implement it successfully.
How does social login work?
Social login is a simple process that can be done in just a few steps:
- The user enters an app or site and selects their chosen social network. This usually takes the form of a social login button or “Sign in with [social platform]” links.
- The social network provider receives a login request and authenticates the user. At this stage, users need to accept the access permissions of the app or site.
- The user will get access to the site or app once the social provider has confirmed their identity.
Social sign-in relies on a couple of core components. OAuth 2.0 grants apps the permission to confidentially use social network data for login purposes. OpenID Connect is an authentication protocol that facilitates third-party logins, allowing users to access apps and account services with login credentials from other websites. Together, these authentication and authorization mechanisms power social logins. The diagram below walks through the social login process from start to finish.
How do popular social login platforms compare?
Every social login platform has different privacy features and implementation quirks to keep in mind. Here’s the rundown on the most prevalent social identity providers:
Facebook Login provides a balance of convenience and privacy. While organizations using Facebook Login ultimately decide what information they request from users, Facebook’s review process requires that developers provide users with a large number of permission customizations. With these permissions, users can control the degree to which they share various types of information with third-party organizations.
Google Sign-In allows users to access other websites with their Google accounts. Developers can access the user’s public profile, age range, and friend list, and have the ability to read and write to the user’s public feed. Users can customize the information they share during authorization, but Google’s social login solution currently doesn’t allow for subsequent alterations without disconnecting and re-authenticating it with each third-party website.
LinkedIn Login lets users sign in with their professional identity. Users can’t control permissions of what the app can access, but LinkedIn has perhaps the strictest approval process for information requests. Third-party site owners and developers must have prior approval to request any user information beyond basic profile data, location, and employment status.
Microsoft
Sign In With Microsoft gives users the ability to log in with their Microsoft accounts. For apps and websites that have this social login installed, consumers can simply sign in using their personal email addresses and account credentials. Keep in mind that large organizations (such as schools or businesses) that choose to deploy this method will first need to register their application or site with Azure AD.
Apple
Sign In With Apple lets users sign in to various accounts using their Apple IDs. Apple’s service has some unique privacy and security features favorable to end users. For example, apps and websites can only ask users for their names and email addresses upon first sign in, and users can create random email addresses for use with each site—hiding their personal accounts. Apple also prompts for two-factor authentication with each login, making it among the more secure choices. In addition, any apps on the App Store that offer social authentication have to provide Sign In With Apple as an option.
With these features, the Sign In With Apple workflow looks slightly different than other social login solutions. If two-factor authentication is enabled, for example, users will need to verify the login from another device and enter an authentication code after signing in with their Apple ID. They'll also be asked to confirm the login once more before being redirected back to the app or website.
Generic OIDC
Generic OIDC is an Okta feature that allows users to sign into apps using account credentials from a wide range of identity providers. By enabling any OIDC compliant system to sign in with Okta, organizations have greater freedom to choose between multiple social platforms in order to create custom and secure login experiences for their customers. Example third-party OIDC providers include Dropbox, Github, Reddit, and more.
What are the benefits of social login?
Social media login improves user experiences in various ways, including:
- Streamlined sign-up: Third-party web page logins via Facebook or Google accounts typically involve clicking just a few buttons. This creates a much faster path to access sites and apps compared to filling out registration forms.
- Less password reliance: Password fatigue is real, and besides the inherent vulnerability of password logins, the idea of remembering yet another password puts users off registering for additional sites. Social login means users don’t have to create and keep track of more credentials, lessening password fatigue and login failures.
- A trustworthy process: Regardless of the site users are accessing, social sign-on provides a recognizable, uniform method of logging in. Users may feel more at ease sharing their data with new and unknown sites and apps via social networking platforms they already trust.
Organizations that implement social authentication also benefit in various ways:
- Smarter user improvements: When users sign in to an app or site using their social network, site owners can analyze data from that platform to establish user preferences. Developers can then use this insight to create customizable user experiences and build features that are in demand.
- Increased verification: Social login provides an additional layer of verification to confirm that access attempts are from real and trustworthy users. This type of authentication also requires verification from the chosen social platform, incorporating yet another line of defense against spam or otherwise harmful logins.
- Free to implement (usually): Integrating social media logins means using APIs for each corresponding social platform, like Facebook Login and Google+ API. While some APIs limit the resources that third-party apps can use without paying, it’s typically free to use these APIs and support a range of social logins.
- Improved blank slate experiences: After a user signs in using a social media account, site owners have the ability to auto-suggest or auto-populate their settings with information held in their social account. This lets organizations create a first impression of convenience and encourage further use of their apps and site.
- Reduced overhead from failed logins: By going passwordless with social login, organizations will spend less time troubleshooting security alerts and password requests from failed logins.
- Less cart abandonment and more mobile conversions: For e-commerce brands, social login gives you the opportunity to simplify the checkout experience for online shoppers—which means fewer abandoned carts and more purchases on both web and mobile.
- Account linking: When users choose social login options for various applications, organizations gain access to data from multiple stores, which helps to create a more comprehensive customer profile.
- Greater adoption of apps: When users have an enjoyable experience, they’re more likely to continue using a product or service—and stay loyal to a company. Social login contributes to a seamless interface that keeps people coming back for more.
What are the drawbacks of social login?
For all the ways that social media login streamlines the user experience, it leaves room for security vulnerabilities, including:
- Compromised or stolen data: Social identity providers like Facebook and LinkedIn have faced infamous data breaches over the years, where leaks compromised millions of user accounts at a time.
- Poor password practices: Unfortunately, 65% of people report reusing credentials across multiple accounts and sites. If any social login site experiences data theft, users who’ve repeatedly used the same passwords will likely have multiple compromised accounts on their hands. Frequent social login users are those most at risk, as credential leaks jeopardize every app or site login linked to a breached social media account.
- Privacy and compliance: Organizations implementing social login need to be vigilant with regards to privacy, as regulations like the CCPA and GDPR give users legal rights to opt in and out of various data collection and sharing practices. For end users, it’s important to dig into the different permission requests of each platform and determine—before accepting—if each ask is justified.
Is social login worth implementing?
The big picture is, yes, social login improves experiences for businesses and end users alike. However, we advise taking a few additional steps to ensure that your social login experiences are secure.
To avoid account takeover, back up social login with multi-factor authentication. By enabling additional forms of authentication, hackers will be unable to use leaked credentials to breach social media accounts or linked apps and websites. Social identity providers that allow for customizable permissions are also preferable, as this helps organizations to honor compliance requirements while creating trustworthy user experiences.
Wondering how to use Okta for social logins? We support generic OIDC, Facebook, Google, LinkedIn, Microsoft, and—now in General Availability—Apple. Check out these quick guides to learn the ropes:
- Social Login overview (Documentation)
- Setting up Social Login (Documentation)
- Authenticate into Okta using Social Apps (Support article)
- Add Social Login to Your JHipster App (Blog post)
- Add Social Login to Your Spring Boot 2.0 App (Blog post)
- Add Social Login to Your Ionic App (Blog post)