When setting up online accounts, you may be prompted with options to sign in with your Google account or another site like Facebook, Twitter, Apple, etc. The information stored on Google can create new user accounts and sign you in with only a few clicks. While this system makes logging in easier and more secure, you may be worried about potential privacy risks. Is it safe to sign in with Google?
Using the option to sign in with Google is safe. Google’s strong security and OAuth system provide better protection than current poor password practices. Users should understand the privacy concerns. Authenticators share data and account permissions to third-parties while collecting user login and traffic.
Being aware of the benefits and drawbacks of logging into websites with Google (and other authentication providers) helps you better understand where your information is being stored. It also sheds light on how to make your life easier when managing passwords and security. Keeping your information safe and protected from hackers should be your ultimate goal when you sign in to websites with a streamlined login.
How Does Signing in With Google Work?
Since this topic has many parts, let’s set out 3 simple, key terms:
- User: This is the person signing up for a new account and/or requesting account access from Google and similar authentication providers.
- Website/Third-Party: This is the site or app you want to create an account for.
- Authenticator/Authentication Provider: This is the site where you have an existing account like Google, Facebook, Twitter, Apple, etc. The technology behind this is called OAuth.
OAuth is an open standard…commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.Wikipedia
When you head to a website to create an account, you will typically be given options to enter your email and password. Alternatively, the site might offer the use of an authenticator, such as Google, to log in.
When you select the authentication provider, you are redirected to confirm your identity. You give the third-party service permission to access specified information from your Google account, which is passed back to the third-party website. The information is used to activate or sign in to the site or service.
This authentication workflow accomplishes a few essential things which enhance security and successful sign in:
- Password Protection: When you click sign in with a Google account (or similar authentication service), your password is never passed to the new websites. You’re presented with a list of what information and/or access will be shared with the third-party. Only the necessary information is sent to the websites through the OAuth process.
- Authentication: Google and Facebook used for signing in are called identity providers (IdP). They store your information and authenticate to other websites your identity without creating new accounts and unique passwords.
The messaging platform Slack has excellent documentation on how they use this authentication process or workflow. Their diagram simplifies the workflow very well.
This process gives the third-party website two things
- It confirms with Google that you are who you claim to be and
- It gains enough access to your information it needs
to create a new account and, in later visits, allows you to sign in without a password.
You can easily manage third-party access to your Google account. You can remove the website’s access entirely or select specific permissions and shared information to revoke.
Note: Removing a third party’s access to your Google account doesn’t delete the account created on their website or service.
Advantages vs. Disadvantages of Signing In With Google
Signing into third-party sites using an authentication provider makes it much easier for you to protect a wide range of accounts with a more straightforward login process.
At the same time, privacy is a concern, and not all accounts you create will offer all authenticator login options. Considering the pros and cons will help determine which login option is best for you.
Advantages of Signing in with Your Google Account
Logging in with third-party accounts offers advantages in terms of overall security, often being the safest solution to managing accounts apart from password managers.
These are the primary advantages of signing in with Google or other identity providers:
- Convenience and Simplicity: Using an identity provider such as Google allows account management to be done for you. You can go into Google and look at all the accounts and websites you have used Google to sign in and make changes quickly. You don’t have to create or remember passwords.
- Increased Security: Google, Facebook, Twitter, and Apple are large companies that have made security a top priority. When you create a unique password on a smaller site, their resources and ability to protect your information is typically much riskier. If a hacker gets your information from the small site, they have a better chance of acquiring your stored information.
- Personalized Experiences: Based on your Google and other service usages, third parties can cater their site to your preferences more efficiently for a better online experience.
Ease of use and security are the top priorities when managing your accounts through an identity provider. They allow you to keep information in a centralized location and rely on secure servers to store your login data.
Disadvantages of Signing in with Your Google Account
Any system comes with its disadvantages, which should also be considered when creating an account using an authentication service for signing in.
These are the primary disadvantages to consider when setting up your accounts with Google and other identity services:
- Privacy Concerns: The list of websites you have logged into using your Google account is stored with Google. The company will also keep track of every time you’ve used a Sign In with Google button. Using an authenticator service gives Google, Facebook, Apple, etc. data about your habits, interests, and internet traffic. This accumulated profile information results in reduced privacy and increased value for targeted advertising
- Potential Inconsistency for Identity Providers: You may still need a password manager if not all the apps or sites you use will allow you to sign in with Google (or similar identity services). Managing account access to certain identity providers requires careful tracking.
- Challenges to Unlink from Authentication Providers: Google and Twitter make it easy to unlink your information from specific accounts. You may find that unlinking is challenging if you are using multiple authenticators. Keep track of which services you use to sign in to apps and accounts for the best management.
- Easy to Create Too Many Accounts: You may be tempted to activate more online accounts with the ease of using an identity provider. With each new account, you pass along personally identifiable information (PII), sending basic information to many companies. This increases the size of your threat surface.
- Incomplete Security: When using the accounts on the third-party site, you should still use two-factor authentication for full account protection. An identity provider only replaces the use of a username and unique password combination. It’s not a replacement for multiple layers guarding your account on the third-party site.
As with most things, there’s a trade-off. Here we need to balance convenience and online privacy.
Your Browser Performs Sign In With Google Sites
As early as versions from 2010, the Google Chrome browser could synchronize bookmarks, settings, and other browser data details to your Google account. Later versions have added users’ ability to automatically sign in with Google directly from within the browser’s signed in session.
This is a useful feature for many but has expanded past a simple convenience and into controversy.
ZDNet first reported that “Google secretly logs users into Chrome whenever they log into a Google site” such as Gmail, YouTube, etc. Google engineers insisted that this feature was intended to protect Google accounts on shared or public computers. Privacy advocates point out this addition adds a new level of accuracy to a large amount of personal data collection occurring at the company.
Chrome sends details about its users and their activities to Google through both optional and non-optional user tracking mechanisms.Wikipedia
When your Chrome browser is signed in with your Google account, you’re sending more of your internet activities to Google, who collects and uses this information in unclear ways and out of our control.
By the way:
The Microsoft Edge browser also automatically signs in using the current Windows user account. We’ll be on the lookout for what browser data Microsoft is collecting. We’ve previously reported that Windows security is concerning.
Fix: To combat this form of traffic, consider switching to an open-source browser like Brave with built-in tracking protection, which they call privacy shields. The browsing experience is identical to Chrome and Edge, just with better privacy. For a quick overview, check out our article here.
Signing In With Facebook, Apple, Microsoft, Twitter, and Beyond
There are around 80 authentication/identity providers from big-name presences on the internet. Chances are you have accounts at several of these services.
If you’re one of those who don’t use a password manager, using an identity provider service helps increase your overall security.
As you sign in with different authenticator services, they each add a cookie or bit of data to your browser. Historically, this was for session handling but also helped track your traffic around the internet.
In 2020, The Verge reported that Google Chrome joined the other browser manufacturers to phase out cookie tracking.
The company is looking into other technical methods of taking user behavior. Google will leverage users being signed into Chrome as part of that strategy.
Google and similar identity services have proven to be a safe option for signing into third-party accounts. Authentication providers increase the security of those users who are not adept at using a password manager. The trade-off for this service is the loss of some of your online privacy.
Remember that using authentication services like Google, Facebook, Twitter, Apple, and the like, is a replacement for the old username and password concept. You should still enable two-factor authentication in each third-party site.
With any new account you make, look at the security settings you have to protect them. Your diligence will be the most effective way to protect yourself from cybersecurity threats.