TL;DR It is becoming increasingly common for sites to offer third-party authentication (using, for example, your Google account to log in to xyz.com). This is all very convenient but has some significant downside.

As I write this I am in the process of adding third-party authentication to SaltyVagrant.com, hold the cries of ‘hypocrite’ though as my issues are more to do with careless users than sites enabling them.

Privacy

Using third-party identity providers just puts even more personal information in the hands or these companies. Every site you use your social account to log in with immediately gains access to information about how often you visit the site, from where you access the site, and a potential wealth of other information. It is, fortunately, not likely that they will have access to the content the service for which they provide identity, but these other data are still very valuable and allow the likes of Google and Facebook to assemble a profile of information about your internet use.

Security

While there is no direct concern about the robustness of most third-party identity providers (beyond the usual problems of users choosing poor passwords) there remains the concern that using one identity provider across multiple services is equivalent to using one password. If the social account you use to log in to many sites with becomes compromised then instantly all the sites you used this social account on are also compromised.

Availability

As a site using third-party authenticators you have other issue. Principal among these are availability. If the third-party become unavailable you lose customers. This applies generally (the provider becomes unavailable to all users) and specifically (one user is denies access to the third-party—an increasingly likely situation). In either case you lose business entirely because of the third-party’s behaviour.

Support

Then there is the support service problem. If a user has difficuly logging on, is this a problem with your service of with the identity service? It is difficult to explain to users that you cannot help them because it is Google, Facebook, or whomever, denying them login access, not you.

Additional Resources

[LU]

A Levi and M Ufuk Çağlayani. The Problem of Trusted Third Party in Authentication and Digital Signature Protocols. url: http://people.sabanciuniv.edu/levi/iscis12.pdf (visited on 02/26/2021).