Is it reasonable to require passwords when users sign into my application through social media accounts?
Posted
by
BrMcMullin
on Programmers
See other posts from Programmers
or by BrMcMullin
Published on 2012-11-28T23:42:08Z
Indexed on
2012/11/29
5:19 UTC
Read the original article
Hit count: 221
security
|social-networks
I've built an application that requires users to authenticate with one or more social media accounts from either Facebook, Twitter, or LinkedIn.
Edit Once the user has signed in, an 'identity' for them is maintained in the system, to which all content they create is associated. A user can associate one account from each of the supported providers with this identity.
I'm concerned about how to protect potential users from connecting the wrong account to their identity in our application.
/Edit
There are two main scenarios that could happen:
User has multiple accounts on one of the three providers, and is not logged into the one s/he desires.
User comes to a public or shared computer, in which the previous user left themselves logged into one of the three providers.
While I haven't encountered many examples of this myself, I'm considering requiring users to password authenticate with Facebook, Twitter, and LinkedIn whenever they are signing into our application.
Is that a reasonable approach, or are there reasons why many other sites and applications don't challenge users to provide a user name and password when authorizing applications to access their social media accounts?
Thanks in advance!
Edit
A clarification, I'm not intending to store anyone's user name and password. Rather, when a user clicks the button to sign in, with Facebook as an example, I'm considering showing an "Is this you?" type window.
The idea is that a user would respond to the challenge by either signing into Facebook on the account fetched from the oauth hash, or would sign into the correct account and the oauth callback would run with the new oauth hash data.
© Programmers or respective owner