Managing social login security risks

Social logins like ‘Sign in with Google’ make life more convenient. Employees no longer need to remember numerous passwords, and IT teams can reduce the risk of reused credentials. Nonetheless, there can be a security cost to this method of authentication.

A major airline website got hacked, and millions of emails and passwords have been dumped online. Unfortunately, this can easily impact your company’s IT infrastructure. 1Password’s 2025 Annual Report found that 27% of employees have used the same passwords for both their work and personal accounts. Bad actors are aware of this; a well-known technique to compromise user accounts is to take usernames and passwords from a breached website and try them out elsewhere. 

One potential solution to this problem are social logins, like “Login with Google,” which mean that users don’t have to create new usernames and passwords when signing up with websites and applications. 

Most social logins use a technology called OpenID Connect, or OIDC. OIDC utilizes a special protocol by which the social login provider (in this case, Google) authenticates the user, and then confirms for the web application that the credentials are correct. Any two-factor authentication being enforced for your company’s G-Suite users will be required as well, giving additional security. This makes users’ lives easier. For this reason many IT managers allow their users to use "Login with Google" (technically, OpenID Connect, or OIDC) on other websites or third party SaaS apps.

What is OAuth and why it matters

OIDC is used for authentication, and it often sits on top of another layer, OAuth 2.0, which is responsible for app authorization. In short:

• OIDC (authentication): Confirms that a user is who they say they are.

• OAuth 2.0 (authorization): Allows users to grant apps permission to access data or carry out actions on their behalf. 

OAuth 2.0 is commonly in action when signing into a new app, when a user sees a screen saying, “Application X wants to access your Google Account.” It explains what the application wants to be allowed to do, with some smaller text urging the user to think through the risks, and a nice big blue button saying “Allow”.

It’s easy to click “Allow” without reading the small print, but these permissions, also known as OAuth scopes, can give an app the ability to read emails, access documents, and modify settings.

This highlights the hidden risk of social login; identities outside SSO increase a company’s unmanaged attack surface. As convenient as social logins are, they can lead to unmanaged connections across SaaS ecosystems, developing and widening the Access-Trust Gap.

Even trusted employees can expose sensitive data; a single click on a social login button could create backdoors into company data, from strategic plans to customer data. IT teams have the challenge of understanding the map of access and acting to secure their attack surface before there’s an issue. 

Blocking everything isn’t the answer

Often enough, the instinctive reaction is to block all OAuth access, but this is unlikely to be practical. Thousands of apps use OAuth to help boost productivity, and blanket bans can frustrate teams and have an impact on business operations. This can even cause employees to find workarounds,  actually increasing access risks rather than reducing them. 

Another option is for IT teams to try manual tracking, which may entail reviewing every app, identifying potentially risky access, and revoking permissions. While this can be effective, it’s time-consuming, can be prone to human error, and doesn’t stop users from re-granting access in the future.

How 1Password SaaS Manager manages OAuth access

This is where a SaaS management tool like 1Password SaaS Manager can help. Rather than relying only on manual tracking or Google’s admin controls, 1Password SaaS Manager gives full visibility into OAuth permissions, helping IT monitor risk without slowing users down. 

With a couple of clicks, 1Password SaaS Manager connects to a team’s Google Workspace domain and identifies the SaaS apps that users are accessing. 1Password SaaS Manager then flags risky permissions, shows which users have access to what, and curates apps for greater business legitimacy. 

By automatically connecting SaaS apps and AI tools, 1Password SaaS Manager enhances SaaS security, makes sure that no app goes unnoticed, and reduces the chances of access risks staying hidden.

This approach allows IT teams to transition to business-led security, monitoring risk without slowing down employees across other teams. This lets employees enjoy the convenience of social logins while ensuring that organizations maintain confidence in data security.

SaaS management for social logins

Google’s access control features are helpful, allowing admins to block apps and manage permissions. However, unmanaged social logins can lead to Shadow IT and uncontrolled access to sensitive data. 

1Password SaaS Manager provides complete visibility into OAuth access, with automated discovery and risk assessment for thousands of apps. This provides teams with the ability to identify , assess, and manage social logins, and the tools to reach out to employees and better understand business needs. Admins can identify risky access, such as read/write permissions, and either export any findings or take action directly from the dashboard.

This combination means that teams can take advantage of the convenience of social logins while maintaining compliance, security, and visibility.

To begin discovering OAuth exposure risks, schedule a demo of 1Password SaaS Manager.