Sign-Up Options

Hi guys, hope you are doing well.
So I have a game that I need to sign up to play it, but I only have this options: Google, Facebook, Discord, VKontakte and Twitter.
That means that I have to create an account in one of these services for play the game, so: which one is the most private?
Also, I will only use that account for playing the game, nothing else.

I would probably go with Google as it has better security than the others

You may also want to see the following thread for more information:

4 Likes

Thank you for clarifying my doubts, and i will check the thread.

Depending on your threat model, Google may also be a good option because you can make the one account but use it for all the times that you can only use another service as an option for logging in. Google is more likely to be offered as an option, so you’re reducing the likelihood of having to make another account for similar service next time.

Downside of this is that the more logins you give Google, the more information Google has on you. I don’t think login credentials is the main thing Google is using to advertise against, but it is still in their hands at the end of the day. But you could also just leave that account focused solely for logins and even look down the account in their privacy settings.

From security perspective I think you’d be fine.

1 Like

As of today Sign in with Apple is the best privacy focused and most secure SSO implementation.
I am surprised it is not an option in techlore. @Jonah plans to add it to techlore? I think discourse support it

2 Likes

Thank you very much for your responses everyone. I tried login with Google, but I need a phone number (and I don’t want to give that). Facebook blocked my account, so that option is out. There is any way to bypass phone number verification on Google? (I’m using ProtonVPN if that influence in something). Also, if I use 2FA in Discord, Twitter, or VKontakte it will be as secure as an Google Account? Because I understand that the 2FA cannot be hacked. That’s right or I’m wrong?

1 Like

If the 2FA is through a text, then it is vulnerable to a SIM swap and would be a risk. Not the end of the world, but not ideal.

If you have to give your phone number to one of these services, I would still pick Google because I trust them the most. However, if one of those other services already has your number for 2FA, then for the sake of minimizing attack surface you could role with that one.

1 Like

You’re wrong. 2FA is beneficial in that it prevents an adversary from accessing your account just by acquiring your username and password. 2FA can still be hacked through MITM or phishing attacks.

1 Like

Adding onto this, different types of 2FA are better than others.

SMS/Email are the worst as both are sent in plain text so could therefore be intercepted.

An app is better but the secret is stored on both your device & the companies serves, either or which could be hacked.

The best option is hardware 2FA as pretty much the only way to get into an account that uses it is to have the hardware key, so it would need to be stolen for anyone else to use it.

2 Likes

I think passkeys is same as secure or better than hardware keys. Just waiting see more adaptation… cough discourse cough

2 Likes

You can trie bypassing but it is hard and will take a few hours. From the other three remaining options i will not advise vkontakte. Then it is probally discord or twitter or you can do a lot of work to try getting a google account without a phone number. Also a vpn has nothing to do with the phone number requierment since last year they started kinda requiering phone numbers for google accounts if you want to make one without a phone number it is now really hard but not impossible however even with totorial videos they can be patched and it will still take a long time (a few hours) to make one without a phone number. So then i would consider discord or twitter if you do not have a lot of time. However google third party singin is more secure and more services in the future where you need a third party account will probally support google so then you would not need another of these services next time so if you have a few hours google is a great one from the options. Otherwise i would advise against vkontakte. So then it will be discord or twitter but twitter will requier also phone number with no bypass even if you select singup with email after you created your account half they need a phone number anyways with no bypass. So then discord is better plus some part of techlore is on a discord server discord does requier a email but no phone number and they support 2fa with authenticator app or sms (please do not use sms for 2fa). However another option is google or maby twitter by adding a phone nunber and then deleting it in account settings however they can still have logged your phone number history so that does not do much but it is a thing atleast with twitter you can easily later delete your phone nunber in account settings and probally also with google so google is better than twitter. So the best options: google if you can bypass with a few hours or trust that they will not keep your phone number after you selete it in your account however thry probally will keep records on that so then probally to bypass it you need a few hours with totorials and try multible ones because they can easily be already patched. And discord if you do not want a phone number and there are still a lot of services that support discord but google is login support is more common. So just do one of these. and if you are going to also use discord normally just their service wich you stated you will not but maby after like a year you think different then you can also consider joining the techlore server. It is a long reply but i just wanted to make clear what is better then other options. Anyway thanks for reading.

1 Like

Also google supports loging in with there app on your phone or authenticator app or hardware key (if i am right)(they also support sms but please stay away from sms 2fa) thats all 2fa google supports if i am right

1 Like

This is not an issue with sign-in with apple btw. Other than only sharing email and name (you can edit/remove name and have the option to “hide my email”). Apple had clearly stated how they built the sso to minimise tracking apple can do in their white paper: https://www.apple.com/privacy/docs/Sign_in_with_Apple_White_Paper_Nov_2019.pdf

Perhaps the most significant privacy benefit of using Sign in with Apple is
that Apple does not participate in tracking or profiling users and does not seek
to profit from users’ personal data. Apple will not track users as they engage
with their favorite apps and websites, or gather insights about developer’s
businesses in the process. In fact, Sign in with Apple has been built from the
ground up to limit the amount of information Apple can access or store about
the user’s sign-in behavior.

When a user engages with a new app using Sign in with Apple, Apple generates
a unique token for the user/developer pair and stores the email address that
the user shares with the developer. This allows Apple to manage secure
authentication anytime the user needs to sign in, and allows the user to view
and manage their relevant account details. Any subsequent visits to an app can
be handled on device without sharing any additional information with Apple.
Developers can call a local refresh API (getCredentialsState) to confirm that
the user is still securely signed in to iCloud on the device and allow the user to
continue using the app seamlessly without ever reaching out to Apple’s servers
or sharing any additional information.

If an explicit sign-in is required to continue using an app—for example, to sign
in to a financial services app with a limited session length—the developer will
call an authentication request API (ASAuthorizationAppleIDRequest) that
returns a token from Apple’s servers to allow the user to quickly sign in again.
In this case, Apple receives basic information about the sign-in event, including
the IP address and the Apple ID being used, but deletes this information after
a maximum of 30 days.

When signing in using a non-Apple web browser or an app running on another
platform, Apple is not able to provide an equivalent to the local refresh API.
Therefore, developers will need to make a fresh authentication request each
time the user needs to sign in. The same token will be returned from Apple’s
servers and the same 30-day data deletion policy applies.
This is the extent of information that Apple collects regarding users’ activity
as they use Sign in with Apple. Apple does not provide any tracking tools to
developers or receive data from any analytics or advertising tools that might
be employed by any particular app. As a result, users can take advantage of
the convenience of Sign in with Apple with the peace of mind that Apple is
not tracking or profiling them.

(quoted from the whitepaper; tracking section)

Apple does not read or process any of the content of the email messages that
pass through the relay service, except to perform industry-standard spam
filtering that is required to maintain Apple’s status as a trusted email provider.
All email messages are deleted from Apple’s servers once they are delivered
to the user, usually in a matter of seconds.

(quoted from the whitepaper; Hide My Email section) note: this apply when you choose the hide my email option. Otherwise, it doesn’t make to sense to delete email from servers

imho i think apple sso is better than google sso. I don’t think it is available as nearly as google sso as op didn’t mention sign in with apple (still waiting for tech lore to add it. Hopefully this evidence support my claims of it being “the best privacy focused and most secure SSO implementation”). The same Authentication Services API also works seamlessly for passkeys.

1 Like

Yes but that is giving apple your data so first party privacy problem and apple is not the most trustworthy company

I believe they use the same standards, so would be just as secure… just cheaper as you don’t need to buy extra stuff!

It isn’t the most privacy focused company in the world but compared to Google, Meta, etc… they are miles ahead.

2 Likes

I always consider Google and Apple to be about the same… both collect a lit of first party data, but have some protections to prevent third-party collection; e.g., both Google + Apple Pay hide your card details from websites

1 Like

The main differences are Apple has a better track record, has privacy as one of its ‘values’ and has more privacy-oriented features.

1 Like

They are absolutely not the same. Google has one mission: mass surveillance. Their entire business model - from inception - was surveillance. Not so with Apple. No one cherishing privacy should touch any Google product with a ten-foot pole.

1 Like

That isn’t true.

Google (especially their approach to security) may be perfect for some people’s threat-model. Clearly not yours, but it doesn’t mean it doesn’t work for anyone.

2 Likes