I need some help in understanding the security risks if I want to use OAuth 2.0 (Facebook, Twitter and G+) as standard login provider for an E-Commerce site. Keeping in mind that I will not be saving Credit Card information on the site or in any of the data stores. I would be utilising services such as PayPal (And Similar Services)/EFT to achieve payment methods. I had a quick glance at this documentation for standard security assessments. But still no where closer to understand if the OAuth 2.0 would be a viable authentication option. Any advice would be great. I have the Same question posted on Stackoverflow
Asked
Active
Viewed 762 times
1 Answers
5
Don't do authentication to outside OAuth sources if you plan to store any PII (personally identifiable information) like names and addresses, it exposes you to data theft liability if someone hacks the other systems, and you may never even know it happened. You could also have problems if your customer gets locked out of their FaceBook account and you can't do anything to fix it. OAuth is fine for web page comments, but not for paying customers.
sburlappp
- 106
- 2
-
Hi @sburlappp, I'm having a similar situation as Jacques and your answer clarified me some points, but do you have any suggestion about how to login safely? Is Social Spring a safe option? Thanks – maxivis Jun 13 '14 at 12:56
-
It isn't really an issue of how secure the login process might be (although that would be important too), it more about how to manage your customer accounts when part of the process is out of your control. Paying customers never want to hear you say "there's nothing we can do, call Facebook". – sburlappp Jun 21 '14 at 14:17