Why humanID is superior to other social logins
By Anagha Arvind
October 23, 2020
You come across a new clothing website that has some shoes you are interested in purchasing, but it requires you to sign up for an account. Not another password to remember! Thankfully, they have an option to login with Facebook. You use your account to sign up and browse through the rest of the catalog. Soon you start seeing ads for more shoes on your Facebook timeline. How did this happen? The answer lies in understanding SSOs and social logins.
Single Sign-on (SSO) is a method of authenticating login sessions, which allows users to access multiple applications and websites with simply one username and password combination. Companies and consumers are encouraged to use them, as it increases productivity and reduces the number of passwords to manage, which consequently lowers the chances of being targeted by hackers and experiencing data breaches. Social networking sites like Facebook, Google and Twitter offer a common form of SSOs called social logins, that carry the same characteristics of typical SSOs. These popular social logins have had security risks and data leaks that adversely impacted their users by exposing their personal information. Therefore, what’s needed is a fully anonymous and private SSO option that protects user data, like humanID.
What are SSOs, and how do they work?
Single Sign-on technology is a combination of multiple applications or websites that a user can access with just one login through an SSO solution. SSOs were originally mainly used by corporations to control the credentials an employee would need to access their services and programs. Recently, SSOs have become common among general consumers and customers, as millions of websites now offer social login options through Facebook or Google to sign up for their services. While SSOs implemented by these corporations have multiple layers of security such as multi-factor authentication, the consumer-grade SSOs are more susceptible to data breaches.
A user first signs into the SSO solution with their credentials – typically a username and password. The SSO solution service provider requests for authentication from the identity provider used by the social networking service in charge of the SSO solution, like Facebook or Google. This verifies the identity of the user against a database owned by the social networking service. In turn, the SSO solution passes the verified data to the third-party application or website of interest to allow the user to access the services. The verified data is in the guise of access tokens, which allows only specific information to be shared with the parties involved.
Most SSOs follow the OAuth(Open Authorization) framework that authorizes the end user’s account information to be shared to third party services, while keeping their password private. OAuth is a standard for authentication based on tokens, and acts as the mediator between the service provider and end user using these access tokens. OAuth is equipped especially for mobile use, and is used by Facebook and Google to log onto other applications or websites. These access tokens have a time limit, so when they expire, the user has to login again. They are sent using HTTPS (hypertext transfer protocol secure), that is dedicated to sending encrypted personal data between a website and web browser which can only be decrypted by authorized parties.
What are the advantages of SSOs?
According to a WebHostingBuzz survey, 86% of users say that they are troubled by having to create new accounts on applications and websites when they sign up for new services. SSOs improve user experience by discarding the inconvenience of creating new login credentials or repeatedly signing into multiple services, thus reducing password fatigue. Time saved from remembering passwords and limiting the number of logins goes towards increased productivity for consumers and employees. Security is also improved by preventing users from following poor password practices. One strong password is required to access multiple applications that can collaborate with each other, therefore reducing chances of password theft.
Through this SSO, users can share some personal data with a website to receive only content that is catered to their interests, instead of irrelevant information. The implementation of SSOs in organizations significantly reduces administrative time spent by IT departments on handling issues such as password resets. Companies profit from increased engagement rates as a result of time and cost efficiency. Specifically, research indicates that social login users spend more time and money on a website compared to non-social login users. Another concept of “social sharing”, brought on by social logins, allows users to share a product or service they have interacted with on their social network. For example, Facebook’s “Like” button is said to generate 300% more traffic to websites. Within the same WebHostingBuzz survey, 77% of users believed all websites should offer a social login option for registration.
What are existing SSOs and their disadvantages?
We specifically discuss social logins that contain SSO solutions, although there are multiple SSO options available to implement. A few examples of these social login SSOs are, as mentioned earlier, Google, Facebook, Twitter, Linkedin, Microsoft and Apple. These options are usually offered with third party applications and websites through “Login with Facebook” or other widgets. In these cases, users can use sign up or sign in with their personal accounts, if the options are available. Some companies like Microsoft and Apple also offer a different type of SSO that is not discussed here, such as fingerprint identification and FaceID. A study conducted by LoginRadius discovered that Facebook and Google+ are currently the most popular social logins for consumers, with 65% of logins using Facebook and 25% using Google+.
When a user employs a social login, they are allowing Facebook, for example, to share marketing information pertaining to them to the site they are registering to. Some of this information can include location, interests, purchasing history, political views, relationship status, etc. This can be used to track user behavior to provide them personalized ads and customized content on the websites they are trying to access, as well as on their social media. Facebook earns money by selling ad space to websites and services that users interact with, in which advertisers use details from personal data to sell to consumers. While there are certain terms of conditions Facebook has agreed to in handling users’ personal information and both the consumer and service could benefit from this situation, it brings up issues of compromising privacy. Europe has established laws that give consumers the right to know the information data companies have on them, but the United States does not. Should these big tech companies track your preferences and share your personal data with these third party websites? The amount of information the company shares is not explicitly specified.
Similarly, there are issues of security regarding these SSOs and social logins. Existing online logins can encourage data breaches, phishing and malware attacks from malicious users. In fact, security professionals do not advocate for end users to use social login SSOs because when an attacker gains access to their credentials, they acquire access to all the applications, systems and datasets that use the same credentials. This refers to the single point of failure common to SSOs. In 2015, Cambridge Analytica obtained varying amounts of personal data which included names, birth dates, employers, education history, religious preference, and recent searches from 87 million accounts without asking users for consent, and sold this data to political campaigns of Ted Cruz and Donald Trump, among many others. They obtained this data from Facebook due to a data breach following millions of people using the Facebook SSO social login. Consequently, issues of privacy, security and business and ethical challenges emerged for companies and consumers who used Facebook login. While in 2014, Facebook promised the creation of an anonymous login that does not share user’s personal information from their profile, this was never fulfilled.
The superior SSO from humanID
How can we, as consumers, still reap the benefits of SSOs while avoiding their downsides regarding privacy and security concerns? We have some good news for you! There is a secure option currently available to everyone that guarantees privacy and security – in the form of humanID. humanID is a non-profit, open source anonymity project that aims to replace problematic social logins such as “Login with Facebook”, and allow users to remain anonymous and maintain their privacy as they sign on to third-party applications.
Listed below are four comprehensive reasons why humanID is the superior solution to SSOs, convenient for both consumers and developers.
- Complete privacy and anonymity
humanID deletes users’ data immediately after authentication and never shares that information with any third parties, therefore thwarting the privacy and security concerns that arose from the Facebook and Cambridge Analytica disaster. Unique cryptographic hashes are generated based on the user’s phone number and platform they are trying to access. In doing so, users can sign up for health apps, dating apps or VPNs, for example, while remaining anonymous.
- Fewer opportunities for attacks from hackers
Instead of a typical username-password credential found in other social logins, humanID acquires a phone number and creates constraints for usage and interchanging between devices. Considering 81% of data breaches involve username-password credential misuse, the implementation of a phone number login reduces the chances of this occurring. It holds the user accountable, so that if they defy the terms and conditions, they will be unable to use humanID’s services anymore.
Access tokens that are typically used in other social SSOs are used with humanID as well. What sets humanID apart is that these tokens are short term, so the humanID server has a set temporary period like an hour or a day. Once this token expires, users will need to authenticate their credentials again. A 2018 study conducted at the University of Illinois discovered that 95 web and mobile services have errors in their SSO logins, one of which is allowing access tokens to be credible for a long time, which provides hackers more freedom and time to seize accounts. These characteristics of humanID were implemented to block automated accounts, cyberbullies, trolls, bots, and freeloaders, reducing the chances of credential misuse, malware and phishing attacks.
- User safety and satisfaction is the number one priority
Unlike Facebook or Google, humanID does not have the financial incentive to permit malicious users to create damage. The only payment comes from third party websites and applications who pay to receive humanID’s services, of which all expenses go towards improving those services. These features of humanID increase sign-up and engagement rates, enforce better security practices, lower overall costs, and improve satisfaction among community users and company platforms.
- Better technology
humanID also implements the OAuth architecture used by other social logins. The following sections depict the components of humanID’s SSO solution. The server system consists of three parts:
- The Business Client: considered to be the third party application or website that needs to request access tokens from the Resource Server on behalf of the user.
- The OAuth server: The OAuth Server is the mediator between the Business Client and the Resource Server: The Resource Server is the third party API that contains resources for the Business Client.
While providing the same convenience as Facebook to individual users and clients, humanID also delivers a practical software development kit (SDK) for developers to integrate into their applications. The SDK contains:
- An App ID: a unique identifier for each application created through the humanID server.
- An App Server Secret Key: used by the third party application to communicate with the humanID server. This key is kept private and its usage is restricted by registering the IP address of the host of the third party server application
- An App Client Key: connects the SDK to humanID, and is only available to authorized applications or websites with a restricted domain.
The following is how humanID’s SSO solution interacts with the client:
- The access tokens are requested from the Business Client to humanID by providing a phone number. Instead of storing these phone numbers in a database, the phone number is concatenated through adding salt to hashing. We promise there is no cooking involved in this process. A hash function is an algorithm that creates a unique sequence of random numbers and letters of a fixed size called a hash for each piece of data from the client. The hash is only available between the server and the client, and cannot be “unhashed”, which means the original data the client inputted cannot be regenerated. Furthermore, salting the inputted data adds another fixed-length sequence to the hash to create another layer of security for client information
- The clients are verified by a four-digit one-time password (OTP) sent to them via SMS. When the client accepts the OTP, the humanID server validates the OTP by checking whether the user has an existing account. humanID lets the third party server application know if the user is validated, and the application creates a session for the user.
- Tokens are returned to the client side and stored for temporary use, when they need to request for another one once the original expires.
This combined technology creates a fully anonymous, privacy first and secure service for consumers and customers.
For a quality social login option, it is time to walk away from Facebook and Google, and instead turn to a service that values privacy, security, anonymity and the protection of your data. It is time to turn to humanID, the superior solution to social logins.