Security risks of OAuth vs a password manager



  • Of the following two approaches, which is "more secure", under which circumstances, and why? In other words, please compare the security risks of these two approaches:

    1. Log in to an OAuth provider such as Google or Facebook using a master passphrase; then use OAuth/OpenID to log in to other services via that OAuth provider.
    2. Use a password manager with the same passphrase; have it generate and auto-type a separate random password for each service.

    This question explains how OAuth and OpenID work and why they're considered secure, but it doesn't compare it to a password manager.

    Motivation:

    From my perspective as a user, OAuth and password manager solve the same problem of not having to enter separate passwords (or any passwords at all) when logging in to various services. OAuth does it by "reusing" my login into the OAuth provider (I understand the technical details are more involved, but that's how it looks to me as a user). A password manager does it by automatically typing in the password for me.

    Either way, I only need to enter a single master passphrase: either to the OAuth provider or to the password manager.

    I'm trying to decide when to use which solution. To do that, I want to understand their security implications more in depth (and compare them where possible).

    OAuth vs separate accounts (with separate passwords), as noted by @schroeder , is one aspect of this. But a password manager is necessary to automate the password entry, and adds its own layer of security risks. So it's also an important piece of the puzzle, I think.



  • Neat question, I had not thought before to compare those as competing solutions, but I suppose they are!

    I'll answer this from the perspective of the Confidentiality - Integrity - Availability security triad.

    Integrity for the OAuth case is a one-shot deal; you lose your main password and you're toast everywhere; your accounts now belong to the attacker, good luck getting them back. That may also be the case if you're using a cloud-based password manager, but offline file-based password managers give you more control over where your password data is stored (ex.: if the only copies are on your phone, your laptop, and a USB hard drive, then that's harder for an attacker to get their hands on).

    Availability boils down to what happens if you forget your main password, delete your password manager db file, lose your phone and don't have a backup, or otherwise lose access to your account. Here the OAuth providers probably win because it's generally easier to recover your account with one of those services than with a password manager.

    Last but not least, to me the big difference is Confidentiality -- You will notice that, in general, the companies providing free large-scale OAuth services tend to be advertising / user analytics companies. They directly benefit from being able to track you across 3rd party sites. So if you're even a little bit interested in anonymity, then making separate isolated accounts on different sites, you're making it one step harder for people (either other end-users, or the networks themselves) to correlate all your accounts.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2