4

Of the following two approaches, which is "more secure", under which circumstances, and why? In other words, please compare the security risks of these two approaches:

  1. Log in to an OAuth provider such as Google or Facebook using a master passphrase; then use OAuth/OpenID to log in to other services via that OAuth provider.
  2. Use a password manager with the same passphrase; have it generate and auto-type a separate random password for each service.

This question explains how OAuth and OpenID work and why they're considered secure, but it doesn't compare it to a password manager.

Motivation:

From my perspective as a user, OAuth and password manager solve the same problem of not having to enter separate passwords (or any passwords at all) when logging in to various services. OAuth does it by "reusing" my login into the OAuth provider (I understand the technical details are more involved, but that's how it looks to me as a user). A password manager does it by automatically typing in the password for me.

Either way, I only need to enter a single master passphrase: either to the OAuth provider or to the password manager.

I'm trying to decide when to use which solution. To do that, I want to understand their security implications more in depth (and compare them where possible).

OAuth vs separate accounts (with separate passwords), as noted by @schroeder , is one aspect of this. But a password manager is necessary to automate the password entry, and adds its own layer of security risks. So it's also an important piece of the puzzle, I think.

MichaelK
  • 201
  • 2
  • 6
  • 1
    It's not compared because they are not meant to be compared. They are very different things. What you appear to be *really* asking is what the risks are of using OAuth vs having separate accounts to everything, given that all passwords are strong. Adding in "password manager" is an unnecessary abstraction. – schroeder May 06 '21 at 11:12
  • 1
    I would at least say "separate *passwords*". Separate accounts with a reused password would not qualify. But I think the password manager is an important piece of the puzzle, because from my perspective as a user, both OAuth and and password manager solve the same problem: not having to *enter* separate passwords everywhere. I'm trying to understand when I should opt for one or the other, and why. – MichaelK May 06 '21 at 12:03
  • 1
    the obvious difference here is the number of databases/systems storing your credentials. With shared single sign-on OAuth it's one. So one database compromised = many logins compromised. For instance, the Solar Winds attackers gained privileges that allowed them to create their own single sign-on tokens. (This allowed access to many different APIs instead of just one.) – pcalkins May 06 '21 at 18:42

1 Answers1

4

Neat question, I had not thought before to compare those as competing solutions, but I suppose they are!

I'll answer this from the perspective of the Confidentiality - Integrity - Availability security triad.

Integrity for the OAuth case is a one-shot deal; you lose your main password and you're toast everywhere; your accounts now belong to the attacker, good luck getting them back. That may also be the case if you're using a cloud-based password manager, but offline file-based password managers give you more control over where your password data is stored (ex.: if the only copies are on your phone, your laptop, and a USB hard drive, then that's harder for an attacker to get their hands on).

Availability boils down to what happens if you forget your main password, delete your password manager db file, lose your phone and don't have a backup, or otherwise lose access to your account. Here the OAuth providers probably win because it's generally easier to recover your account with one of those services than with a password manager.

Last but not least, to me the big difference is Confidentiality -- You will notice that, in general, the companies providing free large-scale OAuth services tend to be advertising / user analytics companies. They directly benefit from being able to track you across 3rd party sites. So if you're even a little bit interested in anonymity, then making separate isolated accounts on different sites, you're making it one step harder for people (either other end-users, or the networks themselves) to correlate all your accounts.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Good answer. Thanks. If I use a file based password manager, but back up the file to cloud storage, would that be essentially the same as OAuth for the *integrity* point, or still a little better? Two other points: 1. Not every service supports OAuth, but they all support password login (*availability*?). 2. In some cases like GitHub+GitLab, OAuth/OpenID easily provides a shared identity. With a password manager, it takes a bit more effort. – MichaelK May 07 '21 at 10:44
  • 1
    file-based-cloud-backup: that depends on your threat model (who and what you're worried about). If you are worried about Google themselves cracking your password manager db, then yeah, no better, but if you're worried about a friend with a grudge trying to get into your accounts, well they would first have to get into your google drive, then at the password db; compared to LastPass where they can try your email and password right on lastpass.com. – Mike Ounsworth May 07 '21 at 14:15