Is authentication using Facebook/Google considered good practice?

I am quite sure that there are some sites which require you to login with your facebook/google account on their site (so the URL shown is not facebook/google). I am sure there are some desktop application which do this as well.

This is very bad practice for websites, because OAuth / OpenID (which are protocols used to delegate authentication) is designed to work around that exact use case. But there is no other way to do it in desktop applications, because desktop applications don't have redirect functionality.

A web page can forward you to the google or facebook authentication, where you can enter your credentials, and then when you authenticate successfully, Google / Facebook can redirect you back to where you came from.

This is impossible to do in a desktop application. One way around it is for the desktop application to open a web browser where you authenticate with your auth provider (Google / Facebook), and some magic happening behind the scenes can then authenticate you to the desktop application. But by and large this is an unsolved problem - you'll simply have to trust the desktop application to not steal your credentials. In fact opening a web browser doesn't really solve the problem either; now you're just trusting the browser to not steal your credentials (The browser is a desktop application, too!)

I have read a couple of times that using other services to login is considered good practice. Is this true?

It's considered good practice because

  1. It's user friendly - users don't have to remember a hundred different credentials

  2. On the whole it offers better security - you don't have to trust a hundred different implementations and hope every site is bug-free and stores your password safely - you only have to trust Google, or Facebook, to take care of security. And they're much more capable to do so than your teen-aged nephew who wrote yet another login system for his new site.

Of course, it also means you're now putting all your eggs in one basket. If someone breaches your Google / Facebook account, you're in much bigger trouble if you use that account to authenticate on a hundred other sites. Also, there are privacy issues in letting your auth provider know which sites you visit and with what frequency you sign in.


First part is mainly a partial answer for the desktop application case. Installing a desktop application is not the same as browsing a remote site. In the latter, you trust your browser to protect you (as much as it can) from possible attacks. In the former, you must trust the application to not contain malware. I make little difference between trusting chrome not to send all my personnal infos to Google, and trusting a NVidia app not to steal your Google password.

The only real difference is that you add a new possible attack place on your unique Google password. If it worries you, just create an auxilliary account, that you do not use for sensitive accesses and use it for NVidia and/or other desktop applications.

That being said, it is definitely bad practice for a site or even a desktop application to put itself on the way and take at any moment the responsability of passing your password to an external authentication service. Protocols such as OAuth or CAS were specifically designed to allow a site or application to delegate the authentication to a third party service and never see the password. The client trusts the auth. service to protect its credential, the application service trusts the auth. service to securely identify the client. Full stop. Having to trust the application service not to steal the credentials is IMHO a design error.

For the desktop use case, the correct way is to let you securely donwload the update via your browser - you take the responsability of that part - and then the application takes the downloaded file to make its updates. That way, if something goes wrong (for example you downloaded a compromised file from a pirate site) you are responsable for it. But some app. developpers are not always aware of who should be responsable for what...


In my opinion is not a good practice. Some questions can not be ignored:

  • Google and Facebook already explore our privacy, selling our personal information to third party companies and advertisers. It is just more food to the fish. That is why they provide this service.
  • Like @Pascal says, all eggs in same basket, trusting in a third party. Not quite a good option nowadays.
  • You can develop yourself a Oauth server, without the necessity of use Facebook or Google. This way you can be sure what are happening with your data.