Why I Don’t Trust Social Login and Why WiFi Remote Access Should Be More Secure
Do you use social login? How about for remote access to your home WiFi router when you’re not at home? Unless you have good password practices and multi-factor authentication, I recommend you do NOT enable remote access of any kind, and maybe consider never using social login ever again.
I am very pleased with our Amplifi Mesh Wi-Fi System installation but have one security-related issue: For remotely logging in to the router from my smartphone, the remote-access, social login credentials are only ones from two providers: Google and Facebook.
While implementing social login is far easier for developers than building a custom login solution — and social login is often assumed by them to be the path of least resistance since these big companies can protect user credentials better than a smaller company — that “big company is more secure” assumption has been proven false and highly risky:
- KREBS: Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
- WIRED: The Security Risks Of Logging In With Facebook
- MEDIUM: It’s time for brands to reconsider social login
- TOM’S GUIDE: 100 Million Quora Accounts Hacked: What to Do
Use of social login also assumes that the user has excellent password practices and/or uses multi-factor authentication, which is usually not the case. So if the user doesn’t implement those best-practices when it comes to protecting their Google or Facebook logins, then Amplifi’s parent company, Ubiquiti, may feel they are off-the-hook in the event of a breach?
I would argue that a blackhat hacker obtaining a social login email and password is trivial (e.g., I can name twenty-five friends and family that have had social accounts hacked in to).
Unless the user has implemented multi-factor authentication, then those social login credentials could be used to gain access to a home WiFi router that use social logins for remote access.
I’ve added this suggestion on the Amplifi community forum to ask the company to have a Ubiquiti-driven login with multi-factor authentication, and in it asked these questions:
- What is your position on security and privacy where it comes to enabling Google and Facebook to potentially monitor outbound traffic from an IP address?
- As such, do you have a security/privacy white paper that outlines how you use the Google and Facebook social APIs, and specifically what you allow Google and Facebook to monitor? (like router IP address).
While I appreciate that our Amplifi Mesh Wi-Fi System is focused on simplicity first and granular level detail on security and privacy second, I’d like to see a public/private key, encrypted, Ubiquiti-delivered remote access login (where I hold both keys) along with multi-factor authentication … at a minimum.