- There are a number of social providers out there who have locked/revoked people's accounts without warning. There's no appeal and no way to get help and instead, you hope you can backdoor your network to someone in support. (I'm looking at you Google.) If they are your sole social auth approach, your account is gone.
- Alternatively, if your account is compromised, you again have no help but now the attacker has access to your downstream accounts.
Which gets to the other idea of IDP trust:
- When you add social providers, you're now inheriting all of their compromises. Unless you can layer an additional auth method/factor on top - both at linking time and occasionally later - you're at their mercy.
Account Access is a great point @Danger Casey! As @Dan says, there's always a tension whenever you trust an external identity provider — even if you choose a (third-party) CIAM integration. An integration with a CIAM solution that you can host and manage improves the situation, and Account Linking helps mitigate some of the challenges you mention, as it allows you leverage multiple upstream (social) IdPs more effectively.
Great points. There's a tension whenever you trust an external identity source. It's a tradeoff because there are some indications that it positively impacts conversion: see https://auth0.com/blog/how-to-use-social-login-to-drive-your-apps-growth/ which quotes a 20% increase in conversion sign-up. But, as you mention, as a user you are exposing yourself in two systems instead of one.
From the perspective of IDP trust, integrating a (third-party) CIAM solution is beneficial — rather than directly integrating with a Social provider, say — as most will allow you to layer an additional auth factor on top of what the upstream IdP provides, both at account linking time or otherwise 😎
I really liked your point, @Dan, about an IdP's unique id usually not changing over time, but not being guaranteed. As you say, it isn’t helpful from the perspective of actually linking accounts, but from a SaaS perspective, it really highlights the benefit of integrating with a (third-party) CIAM solution where the unique identifier does remain consistent.
Some great analysis and conversation on my aforementioned article; thanks @Dan and @Danger Casey for your insights 😎 I've taken the opportunity to reflect on some of the points raised and have made a few tweaks to my article accordingly — which will hopefully be of benefit to everyone. 🤗
Two things not considered in either post:
- account access
- IDP trust
Account Access:
- There are a number of social providers out there who have locked/revoked people's accounts without warning. There's no appeal and no way to get help and instead, you hope you can backdoor your network to someone in support. (I'm looking at you Google.) If they are your sole social auth approach, your account is gone.
- Alternatively, if your account is compromised, you again have no help but now the attacker has access to your downstream accounts.
Which gets to the other idea of IDP trust:
- When you add social providers, you're now inheriting all of their compromises. Unless you can layer an additional auth method/factor on top - both at linking time and occasionally later - you're at their mercy.
Account Access is a great point @Danger Casey! As @Dan says, there's always a tension whenever you trust an external identity provider — even if you choose a (third-party) CIAM integration. An integration with a CIAM solution that you can host and manage improves the situation, and Account Linking helps mitigate some of the challenges you mention, as it allows you leverage multiple upstream (social) IdPs more effectively.
Great points. There's a tension whenever you trust an external identity source. It's a tradeoff because there are some indications that it positively impacts conversion: see https://auth0.com/blog/how-to-use-social-login-to-drive-your-apps-growth/ which quotes a 20% increase in conversion sign-up. But, as you mention, as a user you are exposing yourself in two systems instead of one.
From the perspective of IDP trust, integrating a (third-party) CIAM solution is beneficial — rather than directly integrating with a Social provider, say — as most will allow you to layer an additional auth factor on top of what the upstream IdP provides, both at account linking time or otherwise 😎
To be fair, you could add that layering in your application too.
But CIAM specific software teams are more likely to encounter and consider these niche use cases.
I really liked your point, @Dan, about an IdP's unique id usually not changing over time, but not being guaranteed. As you say, it isn’t helpful from the perspective of actually linking accounts, but from a SaaS perspective, it really highlights the benefit of integrating with a (third-party) CIAM solution where the unique identifier does remain consistent.
Some great analysis and conversation on my aforementioned article; thanks @Dan and @Danger Casey for your insights 😎 I've taken the opportunity to reflect on some of the points raised and have made a few tweaks to my article accordingly — which will hopefully be of benefit to everyone. 🤗
Awesome! The system works!