You’re finally ready to pull the trigger on that great cabin you saw on Airbnb and it’s time to create an account for the service. When you’re signing up for something new, it’s tempting to just sign in using whatever accounts you already have: Sign in with Apple, Google, or Facebook, (and in other cases Twitter). You’ll be up and running faster! Yet before you tie your Airbnb or any other kind of account to the big single sign-on accounts from Facebook Google, Apple, and Twitter take a moment. There are good reasons not to make a habit of doing this — here’s how these systems work, and what to know before using them.
First, the pros of signing in with an account you already have: It’s hugely convenient. If you’re already logged into said account inside your desktop browser or on your phone, then you’ll be up and running with your new app or service in no time. It’s normally much quicker than filling out all your details again, choosing another username, picking a new password, and so on.
Accounts created like this are also relatively simple to manage: You can see all the apps you’re using Facebook to log into here, for example, and all the apps you’re using Google to log into here. It’s also easy enough to block access to apps from these same screens — a couple of clicks or taps and they’re locked out of your main account again.
You might also get a few extra privacy benefits, such as the spoof email address service that Sign in with Apple gives you: Apple will auto-generate a random email address for signing up, so that you don’t have to give up your main one (and if spam becomes a problem, you can simply delete the email address altogether).
So far so good then, but this extra convenience comes with a series of trade-offs (as extra convenience usually does). As Apple and Epic have shown, problems between the company providing the app and the company providing the ID to log into it can happen, albeit infrequently. These problems can be legal, political, or technical, and they might ultimately mean you have to create a whole new account.
Whatever the benefits for the user, the big tech companies are keen for you to use their sign-in options because it keeps you more tightly locked into their platforms — if you ever want to delete your Facebook, Google, Twitter or Apple account, that’s going to cause a problem with all the smaller accounts you’ve connected.
There are also security and privacy considerations to weigh. Should someone get into your Facebook account, for example, they’ll also be able to get into everything you’ve connected to Facebook, from your running app to your favourite music player, because they all use the same login. From a digital security point of view, this sort of interconnectivity isn’t recommended.
With this in mind, you should always be checking what an app or website can do with the account you’re connecting it with, as some will need more permissions and privileges than others. Both the Facebook and Google pages, plus the equivalent ones for Twitter and Apple, let you see which bits of your account apps have access to, and what they can change. Most apps and services will be honest, and you’re not exactly giving away the keys to your accounts (more like a temporary guest pass), but it pays to be honest.
It’s worth emphasising that these third-party websites and apps don’t get the passwords to your Apple, Google, Twitter, or Facebook accounts, but they do get a security pass of sorts, as well as a limited level of access to those accounts — again, make sure you check the level of access when you make the connection, and make sure that you’re comfortable with it.
Google is a bit of a special case here, as third-party apps are able to get access to your calendars, your emails, your photos, and your Google Drive files if they ask for them. An app with full account access can do just about anything it likes in your Google account besides changing the password, deleting the account, or using Google Pay, so you should obviously only give this access to your most trusted apps (if any).
Google and the other big tech giants have procedures in place to look out for and block suspicious behaviour from connected apps and sites, but these protections aren’t impenetrable — every time you connect something new, you’re increasing your exposure just a little bit more.
Then there’s the data collection perspective: Certainly as far as Google and Facebook are concerned, being able to collect more information about who you are, what apps you use, and what you get up to on your various devices (or in real life) isn’t going to do any harm to the targeted advertising campaigns that these companies are selling against you.
That’s something that Apple takes a strict line on — one point to Sign in with Apple then — and Twitter will typically have less data on you to begin with, but whichever service you sign in with, advertisers and marketers love to join up the dots as much as possible when it comes to building up a profile on you.
These are important considerations to think about when deciding how to sign into somewhere new: Don’t forget that connected apps and services will often stay connected to your main accounts for years after you’ve forgotten them. If you are using these ‘sign in with…’ options, it’s imperative that you regularly review the connections that are currently in place.
Perhaps the main disadvantage to keeping everything siloed and separate is that you then have dozens or even hundreds of usernames and passwords to keep track of — we’d recommend a solid password manager for dealing with this particular issue. Despite the extra maintenance for you, it can be safer… but only if you’re careful with all your various login credentials.
For most of us, some kind of balance between using these major sign in protocols all the time and not at all is probably the right way to go — but you should weigh up your choice very carefully whenever you hit a new login screen, and make absolutely sure that you keep an eye on app permissions (and disconnect apps when you’re done with them).