8 Alternatives to Facebook Login
By Anagha Arvind
February 1, 2021
How many times have you used your Facebook account to sign into other websites and applications and felt confident about its security? Facebook is widely viewed as the largest social media communications platform. It also offers a single sign-on called “Login with Facebook” to sign up for third-party services such as Instagram and WhatsApp. Despite its appearance as a social media platform, this technology conglomerate should be seen as an advertising agency and as the second-largest data collector after Google. Your data is at risk of being exposed to bad actors, raising security and privacy concerns. This article will introduce 8 single sign-on login alternatives, some that enable blockchain technology, that promise verifiable and total privacy while promising high convenience to use instead of the notorious Facebook Login to protect your digital identity.
The Problem with Facebook Login
With access to user data from across 8 million websites and more than 2 billion accounts, Facebook has all the information they need to direct personalized ads and promotions to your News Feed. Their social login is implemented in more than a million websites for new users to use their Facebook account to access new services without creating new credentials. Facebook Login can provide the website or application names, pictures, email addresses, phone numbers and Facebook friends among other personal information. However, it contains a drawback common to most social single sign-ons (SSO) – a single point of failure vulnerable to hackers. If the password or access tokens are stolen once, all accounts that use that SSO are exposed and compromised. The SSO is managed by a single party that uses third-parties to access user databases without proper safeguards. Facebook’s biggest data breach, revealed in 2018, endangered 87 million accounts to hackers who gained access to names, genders, and home addresses linked to a user’s profile page. They also had access to sites and apps that the user had accessed with Facebook Login. This event was not the first or last of its kind, and Facebook is not being clear about how they will limit access to personal data and ensure user privacy, especially regarding their login service.
What is Blockchain Technology?
Blockchain technology aims to improve digital identity security and data protection, which is crucial as there were more than 9,600 reported data breaches in the United States between 2008 and 2019 with 10 billion records stolen. Blockchain consists of a distributed database in which data is replicated and verified between independent electronic devices, or nodes, that keeps the network functioning with replicates of the blockchain. Information is decentralized, as no one company or organization owns the data, therefore avoiding a single point of failure for bad actors. This contrasts with a typical SSO’s centralized identity verification systems which lead to data leaks, loss of privacy, and inefficiencies.
The “blocks” refer to multiple entities of data stored in sequential batches. “Chain” refers to how each block is cryptographically connected to its parent, meaning that a block’s data cannot be changed without changing the following blocks and must need overall consensus from the network. A new block needs to be approved by every node in the network so everyone has access to the same data. For example, a popular blockchain protocol by Ethereum requires developers to use a heavy computational consensus algorithm called Proof-of-Work through the process of mining to add new blocks to the chain and prevent attacks. Mining involves the creation of a block of transactions, which are cryptographically signed instructions from accounts, that is added to the blockchain.
Blockchain SSOs provide encrypted digital identities and connect a cloud user and cloud service provider to eliminate the need for multiple usernames and passwords. More businesses should implement these blockchain SSOs into their backbones to grant users secure and easy access to various websites and apps with a single click and to cut down the resources spent on managing multiple security identities. Users can register with one identity on the blockchain that could contain registration numbers, biometrics, and email addresses that are encrypted with hashes. A recognizing party or validator such as notaries and government institutions on the blockchain verifies the registered hashes and sells that information to corresponding service providers who will trust this identity enough to authenticate it and grant access to their services. Essentially, a digital identity can be used to access worldwide services by trusting the strength and security of blockchain technology.
Here are 8 SSOs that enable blockchain technology and remove security concerns that are typically seen in social logins such as Facebook Login:
Civic offers a protocol for personal identity verification for banks and utility companies that incorporates distributed ledger technology (DLT). DLT is a system for recording asset transactions in multiple places at once instead of a centralized data store, to ensure a safer, cheaper and efficient option for both individuals and developers. Their network accommodates all entities of the blockchain – the users, recognizing parties, and service providers. Their Security Identity App “Civic identity – Bitcoin Wallet”, available on the App Store, Google Play and the web, enables users to easily register their identity; it only requires their email address, phone number, and a video selfie. The app encrypts personal information with a private key and does not store personal information on the blockchain directly. They store proof of information instead, ensuring that the users are in control of their data. Recognizing parties, or validators, verify an identity’s authenticity on the DLT and for service providers. They sell this to service providers in exchange for CVCs, which is Civic’s token. When a user submits relevant information from their CIVIC account, they sign a validation contract that oversees data attestation. Users are also incentivized to join by receiving CVCs in exchange for providing their data more securely through CIVIC. These CVCs can be used to interact with identity-related products by CIVIC and third parties. This service is built on the Ethereum blockchain and uses smart contracts to supervise data attestation.
SelfKey is an identity system that delivers on security, privacy, ownership, access, protection, and data portability. They deploy a concept of Self-Sovereign IDentity (SSID) where the users are the center of the identity management process. SelfKey is governed by the SelfKey Foundation, a non-profit organization, that offers a free and open-source digital wallet, products and services special to SelfKey, a machine-readable JSON protocol for implementation, connection to third party services in accordance with Know-Your-Customer (KYC) regulations, and “KEY” tokens to exchange information and conduct transactions more securely and privately. A few products and services they offer are Bitcoin signup, bank account applications, E-wallets, and token sales. For individuals who want to use SelfKey, they can download the “SelfKey Wallet” app and gain a public/private key pair known as a SelfKey. This acts as a digital “pen” to apply an identity owner’s signature to documents, as the private key is used to authenticate the identity to third parties. Unlike a typical username-password credential stored in a third-party database, SelfKey does not share its private key with anyone. SelfKey is also built on the Ethereum blockchain.
Sovrin is another login service that focuses on developing self-sovereign identities for users and businesses, where they are in control of their own digital identities. Users can create and own multiple identities for online banks, mobile apps, emails, and shopping sites. Sovrin provides its members the freedom to control their public and private data. They provide two keys – a private key that is used to sign documents and is secret to the owner and a public key that verifies the signature and makes sure the document is not tampered with. These two keys enable a consensus algorithm that operates over multiple machines and replicates over different entities. The Sovrin Network also uses two rings of nodes: one ring with validator nodes to accept transactions and one ring with observer nodes that run copies of the blockchain to process requests. Their blockchain returns lightweight cryptographic proof which can be processed on a smartphone. Sovrin also offers tokens that aid in efficient value exchange of digital credentials. This increases trustworthiness between everyone involved and is an incentive for customers to share consented data with companies. Because the data comes directly from the customer, it is more valuable than third-party data. In exchange, customers receive Sovrin tokens. The goal of Sovrin is to prove that decentralization works for a self-sovereign identity with Ethereum public blockchains.
Uport is another system that provides a secure self-sovereign identity that is also built on the Ethereum blockchain. Their technology consists of three components – smart contracts, developer libraries, and a mobile app. The app holds the user’s keys while Ethereum provides smart contracts that are the core of identity management. The developer libraries provide methods for third-party app developers to integrate uPort into their own services and apps. Identities within uPort can range from individuals and devices to entities and institutions and are all controlled by the owners. An essential use of an uPort identity is to digitally sign and verify a claim or transaction. End-users have complete ownership and control of their personal identity, data and digital assets which can then be safely given to other parties to access their services, conduct transactions, and sign documents without passwords. For businesses, uPort offers a corporate identity to improve the KYC process and build secure access-controlled environments for employees, encrypting and protecting sensitive data, while increasing compliance. The core of a uPort identity is the uPort identifier, which consists of a 20-byte hexadecimal string that defines the address of an Ethereum smart contract, called a Proxy contract. It is through this Proxy contract that a user identity interacts with other smart contracts on the blockchain, adding a layer of interaction between the user’s private key on a mobile device and the application’s smart contract.
The Jolocum protocol offers methods of generating and managing decentralized identifiers, verifiable credentials, and cryptographic signatures when a user creates an identity. Identities are created locally with hierarchical deterministic keys that can handle multiple personas. In the Jolocum ecosystem, users are known as “Holders” of trustworthy digital identities. Holders have persistent virtual ownership over the origin of their identity with private key generation. Jolocom does not collect any user data, and only the holder of an identity can instrumentalize their identity. Identity attributes such as private keys are stored client-side on a device by default. All code behind the Jolocom protocol is open source and maintained in a public, accessible repository. Any identity holder can produce, share and consume identity data by implementing the protocol. Jolocom is built on Ethereum and InterPlanetary File System (IPFS), so the protocol can connect to other networks like Bitcoin, providing flexibility with its implementation. Jolocom also uses a mobile app called the “Jolocom SmartWallet” for users to manage their identities, credentials, and tokens.
Peer Mountain offers the first decentralized peer-to-peer trust marketplace that joins self-sovereign identity owners with service providers that comply with data privacy regulations. It uses cryptographic protocols for people and companies to create a trusted record of digital identities, relationships, and proof of activities. There are three components in the Peer Mountain ecosystem: the mobile end-user who is the consumer, the back-end service provider, and attestation engines who are the certificate providers. Members of the ecosystem own and control their data and can decide who can access it, denying third parties access. They are also in compliance with KYC processes and regulations for client onboarding, lowering costs of fulfilling these regulations. Peer Mountain is both for consumers who want self-sovereign identities and service providers who need continuous and reliable compliance and efficient commercial service delivery. With their protocol, a user can go through a typical service application, such as applying for a credit card, share their information, and have trusted third parties attest to that information to provide their services. The certification and identity verification process becomes less time-consuming and liability is reduced. Each user owns a vault of safety deposit boxes in which they have copies of documents encrypted with special keys. There is a 4096-bit master key that is extremely hard to decrypt. Even if someone loses their device, their keys are protected by an authentication PIN and fingerprint, as they are stored in a device’s hardware-backed storage. Peer Mountain also offers utility tokens known as the “Peer Mountain Token” (PMTN) to measure the value of trustworthiness in the ecosystem.
THEKEY project provides solutions in the identity verification industry to address issues regarding centralized identity verification systems. They want to bridge blockchain and smart contracts, especially using “Blockchain-based Dynamic Multi-Dimension Identification” (BDMI) technology which promotes cost efficiency and security. BDMI technology uses biometric data as its base, which is validated by government authorities. Once an identity is verified, it is properly documented for the user to earn “THEKEY” tokens (“TKY Token”). An advantage they provide is the avoidance of duplicate data for collection, processing, and authentication. THEKEY’s ecosystem offers a healthy environment for data to be used and protected. It consists of validators who process the identity verification requests and generate results, and service providers who initiate the request. It also involves individual users who are customers of the service providers and who need to consent to validators to process the verification request. When a validator receives a request against a user from a service provider, along with consent from the user in the form of a smart contract, the validator will generate a result and provide a stamp of approval on the blockchain. These smart contracts have government rules such as KYC policies. Individuals are in full control of their identity and data can be managed on THEKEY’s mobile app.
humanID provides a highly convenient SSO login service that delivers anonymity and total privacy to protect end-users from bots and abusive users. Their aim is to replace social media logins like “Login with Facebook” that have financial incentives to permit countless fake accounts to exist on the platform. Instead humanID’s mobile and web applications are free for the end-user and lets users sign onto third-party websites with their unique phone number. User data is deleted after verification and humanID never shares that information with their partners. A cryptographic hash that is unique to a user’s phone number and the service they are accessing is created to maintain privacy. Additionally, they set strict limitations on usage and multiple devices, thus holding users accountable. Unsophisticated users are permanently banned or restricted. While humanID does not enable blockchain technology, which can sometimes make it complicated for users and developers, they use OAuth architecture. The humanID ecosystem consists of a Business Client, OAuth Server and Resource Server. To integrate with a third-party app, credentials such as the App ID, App Server Secret Key and App Client Key should be obtained from the humanID developers. To implement, humanID’s limited-time Exchange Tokens are requested to the humanID server by the client. The client is verified by the humanID API on the server by checking if the user already has an account. They are sent an OTP SMS with the Exchange Token which they can use to request access to third-party applications. humanID verifies the user for the app, creating a session for the user. This service is meant for applications that use the “Login with Facebook” software development kit (SDK) unlike banks and other platforms that require strict KYC processes for their users. This makes it convenient for developers, as their implementation involves a simple plug-and-play SDK for platforms to increase sign-up and engagement rates, and improve customer satisfaction.
These login services that provide secure identity management systems are better alternatives to Facebook’s social login. To decide which blockchain platform to use from these options, a developer should consider scalability, quality of documentation, ease of implementation and availability of tools to improve developer experience. Users must consider reliability, satisfactory experience, easy interface and secure authentication from the developer’s chosen blockchain platform. Overall, it is important to turn towards decentralized systems to protect digital identities and data by straying away from a centralized management system that is prone to breaches and attacks.