Convenience is often at odds with security and privacy. In other words, we often need to add some friction to our lives in order to be more secure and private. There are many inconveniences we’ve all learned to live with in the physical world. We lock our houses when we leave. We hide valuables in the trunk when we park our car. We put on sunscreen when we go to the beach. Decades ago, we didn’t do those things, but now they’re just part of how we live our lives and we don’t think twice about them.
In the digital world, we’re still coming to terms with making these sorts of common sense alterations to our online behavior. Switching browsers or search engines feels like an imposition, so we put it off. Setting up a password manager sounds too painful, so we keep reusing crappy passwords and hope we don’t get hacked.
How Does ‘Sign in with’ Work?
But every once in a while, there’s an innovation that seems to make things easier and more secure. When websites began demanding that visitors create free accounts, people understandably balked. Why do you need my email address just to view free content? And you’re also going to make me think up yet another password that I have to remember? But Facebook and Google came to the rescue. They developed an extremely convenient way to bypass all of that hassle: just sign in with us! Sign in with Facebook and Sign in with Google allow you to access these sites without having to create a whole new account. (Note that often this will be called “Continue with”, as in the image shown.)
How does this work, you might ask? The technical explanation is pretty gnarly, but basically Google and Facebook are just vouching for you. This is a form of single sign-on (SSO) called OAuth, allowing you to access multiple websites using a single set of credentials. But as you might suspect, Google and Facebook get something out of this, too – as well as the website you’re visiting. They will now be sharing information about you. To make matters worse, there are security issues with using OAuth, too.
Two Better Alternatives
If you’re using a password manager, it’s honestly not that much harder to just create a dedicated account for each of these websites and forego the ‘sign in with’ options. This is a little harder to do on a mobile device, but it’s still worth the effort.
There is one notable exception the “sign in with” rule. Apple created their own version of this called (of course) Sign in with Apple. Apple is not perfect, but they’ve seen what Google and Facebook are doing with their users’ data and decided they needed to offer a privacy-preserving alternative. According to Apple, “Sign in with Apple won’t track or profile you as you use your favorite apps and websites. Apple retains only the information that’s needed to make sure you can sign in and manage your account”. If you must use this method, then use Apple’s.
There’s one more thing you might consider doing: using an email alias instead of your regular email address. An email alias is pretty much what it sounds like: it’s a dummy, made-up address that forwards to your real email account behind the scenes. Why would you want to do this? Because you probably only have one or two email addresses. They are globally unique and therefore allow sites to correlate data about you. But it also makes it a lot easier for bad guys to target all your online accounts after compromising one of them.
You can get email aliases from SimpleLogin, DuckDuckGo, Fastmail, and Apple. Note that Sign in with Apple also gives you the option to use an email alias for free, but if you want to create aliases at will, you’ll need an iCloud+ subscription (starting at $0.99/month).
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!