Is Facebook login secure enough?
I'm considering using Facebook login for a large site with some "bank-like" information such as viewing an account balance. The current login is a username/password system, otherwise I don't know the current security measurements taken.
What are some of the pitfalls? For now, I'm thinking security of the authorization and uptime.
Is Facebooks OAuth 2.0 secure enough? Just read that the lead author of OAuth 2.0 left the work group (See: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/) because it "fails to deliver its two main goals – security and interoperability".
This would be better over at Security.StackExchange.com BUT.
In my opinion, it is not secure enough. I realize there are potential benefits, and I realize the value of systems like OpenId, OAuth, and other similar mechanisms, but to put banking info behind it I don't think so.
Off the top of my head, here are the two reasons I'd be most hesitant:
- Since OAuth is used for so many sites, it's probably more attractive to the bad guys.
- You're putting your faith in someone else's system. If Facebook gets compromised, suddenly your site is also compromised.
- While OAuth may be better than anything you can cook up yourself, it also suffers from the fact that you can't monitor activity/invalid logins, etc. Auditing such things is a major part of keeping your site secure.
Jeff Atwood listed the virtues, as well as several issues with OpenId (similar) in this excellent blog post.