It is absolutely safe to log in on apps and third-party websites using your Facebook or Google account. Huge tech companies (e.g., Google, Facebook etc.) use a standard called OAuth, which allows third-party websites to access and retrieve select pieces of information from these big websites in order to authenticate users.
Before we delve deeper into this technological mystery of logging in on websites, let’s take a quick look at the technological mechanism in question.
What is OAuth?
OAuth is a protocol that helps ‘big’ websites (websites that have a very large number of users, such as Google, Facebook etc.) grant access to its users’ information to third-party websites or applications without sharing the users’ passwords and other private, sensitive details.
In more technical terms, OAuth is an open standard for secure access delegation, which means it is a service that allows web giants like Google or Microsoft to permit its users to share their own select pieces of information with third-party websites or applications, while protecting the confidential info of users at the same time.
A hypothetical situation where OAuth fits perfectly
Suppose you want to make some quick edits to an image online. You go to a website, say, Canva, which helps you edit your image directly in your web browser window. However, there’s a catch; in order to use its services, Canva requires you to sign up.
Since the image only requires 5-6 minutes of quick editing, you might not feel like spending even more time filling out a sign-up form from scratch. Or you might just be too bored to fill out a form. I know plenty of people who frown at the mere sight of a sign-up page!
To be honest, I think it’s fairly reasonable to get upset. In the modern, fast-paced world, where the attention span of an Internet user is less than a minute, asking a user who intends to spend only a few minutes on your website to sign up and create an account from scratch is actually asking a lot! The user might just leave such a ‘demanding’ website and find another that doesn’t require them to sign up for anything.
Most third-party websites (that require you to have an account) understand the reluctance of users to create new accounts. In a bid to ensure that they do not lose out on such ‘reluctant’ users, these third-party websites implement the OAuth standard in their system.
An OAuth-enabled third-party website (e.g., Canva) typically gives you 2 options: either sign up the ‘conventional way’, i.e., by filling out an online form, or sign up using Facebook or Google.
Canva, like virtually all websites on the Internet, knows that Facebook and Google have a mammoth user base (i.e., the number of users of their services runs in the billions), and it bets on the fact that you might have an account on either/both of those websites (Google/Facebook).
Therefore, instead of asking a new user to fill out a sign-up form manually, which could potentially take 10 minutes or more, depending on the speed and ‘annoyance level’ of the user, Canva simply asks you to sign up using your Google/Facebook account.
How does OAuth work?
This is basically how the OAuth standard works:
Suppose, you (the user) need to sign up/create an account on a third-party website/application (e.g., Canva).
First, you click on the “Sign up with Facebook’ button.
It redirects you to Facebook.com and checks whether you are already logged in to Facebook. If you’re not, then it prompts you to enter your username and password to access your account. Once logged in, it shows you a small dialog box that describes the kind and extent of information that you’ll be sharing with the third-party website. If you are okay with sharing the required info with that third-party website, you press the ‘Continue’ button.
If you’re not okay with the info that’s going to be shared with the third-party website, you can always edit your preferences.
Now, Facebook redirects you to the concerned third-party website with an authentication code, which is basically Facebook’s way of telling the website that ‘yes, this person holds a valid account with me’.
The website now shows Facebook the unique code it acquired when it first registered itself with Facebook as a legitimate website/application. Facebook uses that code to verify the identity of the website, and in return, grants an access token to the website.
It is this token that the website uses to gain restricted/limited access to some of your account information, usually consisting of your name, email address, gender and so on.
This is, in essence, how OAuth helps big websites like Google or Facebook grant limited access to users’ select pieces of information to third-party applications. To read more about the entire process, check out the official pages of Facebook and Google that discuss this system in great detail (links are provided in the References section).
In a nutshell, OAuth basically lets you give third-party websites a special key that opens only one door of your house and simultaneously protects the master key (i.e., the username and password of Google/Facebook), which can open all the doors of the house.