Ask HN: Is centralized credentials good security practice?
I just recently had an interesting discussion about social logins. A security consultant was arguing that by requiring users to login utilizing Facebook and Google's 0auth system it was somehow more secure than a email and password approach, and that using centralized credentials is also good from a security standpoint.
My opinion is that social login is really just for convenience and that it doesn't really offer anymore security than a well implement login system. Not to mention data privacy when using social logins. I also think that having centralized credentials is actually a horrible idea and is the stuff of nightmares for security (not to be confused with a password manager). A attacker only has to gain access your Facebook, Google or centralized account to gain control of your online presses in its entirety.
I think social logins are great for the people that want to use them, but it is terrible to use the excuse that they are way more secure to not offer another authentication method.
It was suggested that I ask here to see what others think. So, is centralized credentials good security practice, and are social logins good to use if you are a security conscious individual?
2 comments
[ 2.1 ms ] story [ 17.3 ms ] threadI'm with you though, it isn't that hard to have good password hashing, login rate limiting, etc and you aren't inherently depending on some external entity that has less than zero interest in your needs or wants.
The "security" argument to me is as ridiculous as the people who claim that a client-side app that uses Aws/etc services is "server less". Honestly if no one on your team can impliemnt a simple authentication later I don't have high hopes for your success.
However, They're wrong on everything else. Centralized credentials in terms of social isn't secure at all. Consider the Apple iCloud "hacking" incident. The intruders simply used social engineering to uncover the password recovery answers. From there they could access everything in a user's iCloud - Including login information. When using Google or Facebook that same thing can happen. Consider that many novice users don't have two-factor authentication setup, in fact many novice users share passwords between accounts. Which means you're trusting [insert x site here] to not get hacked and take down the rest. Many novice PC users aren't smart and will leave their social accounts at risk. The same social media account can provide intruders with the data to hack it.
Not to mention you loose control over password qualifications - which when set correctly can increase entropy.
All that aside, with Social Logins you still have to setup a traditional account security system. Social Media just handles the login for you and gives you an account it - You still need to do all the traditional account/userid stuff.
You want security? You need this. 1. Good Password Hashing (w/ Individual Salting) 2. Good Password Requirements 3. Login Rate Limiting 4. IP / Geolocation Logging (Check if someone logs in from Georgia, then from Russia 5 minutes later. If it's impossible for a user to travel that far, Lock it.) 5. Good Session Management - If its been 5-15 minutes. Trash the session. 6. Location Remembrance (W/ #4) "Hey, we see you haven't logged in from here before. Wanna save this spot?" 7. User Notification of Account Changes to Prev Confirmed E-Mail - "Hey, We see you logged in from Belize, Is this you?" / "Hey, We see you've changed your account's e-mail. Is this correct?" 8. Require password reset's involve a secondary device. Like a mobile phone. If they go to reset their password they have to enter a SMS Code to confirm. Services like Mailgun make this easy. 9. Allow Two Factor Authentication (Again SMS/Email when Logged in)