From 886261b99980f5b3ec37707dc0f049c472bb9be0 Mon Sep 17 00:00:00 2001 From: Jonah Aragon Date: Sun, 12 Nov 2023 22:58:25 -0600 Subject: [PATCH] Additional information --- docs/basics/account-creation.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/basics/account-creation.md b/docs/basics/account-creation.md index 8b1267d985..99b6e01167 100644 --- a/docs/basics/account-creation.md +++ b/docs/basics/account-creation.md @@ -53,17 +53,21 @@ When you sign in with OAuth, it will open a login page with the provider you cho The main advantages are: -- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) if the website is using an experienced OAuth provider. Tech companies such as Apple, Google etc have the resources to continuously audit their authentication systems and are not going to be storing data inappropriately, such as unencrypted passwords in a database. It does not store your credentials, those are kept by an external OAuth provider. +- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). - **Ease of use**: multiple accounts are managed by a single login. But there are disadvantages: - **Privacy**: the OAuth provider you log in with will know the services you use. -- **Centralization**: if the account you use for OAuth is compromised or you aren't able to login to it, all other accounts connected to it are affected. +- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. -OAuth authentication can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). +OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). -All the services that use OAuth will be as secure as your underlying provider's account. For example, if you want to secure an account with a hardware key, but that service doesn't support hardware keys, you can secure the account you use with OAuth with a hardware key instead, and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your OAuth provider account means that any account tied to that login will also be weak. +All the services that use OAuth will be as secure as your underlying OAuth provider's account. For example, if you want to secure an account with a hardware key, but that service doesn't support hardware keys, you can secure the account you use with OAuth with a hardware key instead, and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your OAuth provider account means that any account tied to that login will also be weak. + +There is an additional danger when using *Sign in with Google*, *Facebook*, or another service, which is that typically the OAuth process allows for *bidirectional* data sharing. For example, logging in to a forum with your Twitter account could grant that forum access to do things on your Twitter account such as post, read your messages, or access other personal data. OAuth providers will typically present you with a list of things you are granting the external service access to, and you should always ensure that you read through that list and don't inadvertently grant the external service access to anything it doesn't require. + +Malicious applications, particularly on mobile devices where the application has access to the WebView session used for logging in to the OAuth provider, can also abuse this process by hijacking your session with the OAuth provider and gaining access to your OAuth account through those means. Using the *Sign in with* option with any provider should usually be considered a matter of convenience that you only use with services you trust to not be actively malicious. ### Phone number