Search code examples
securityauthenticationfacebook-loginuser-accounts

Should user accounts be disabled if Facebook is the only login method

I've read about security best practices saying that inactive user accounts should be disabled and even deleted to avoid security issues like unauthorized use. I can see that being true for regular username and password authentication sites, however my application was built to work only with Facebook groups and as such the only way to login or create a new account is to use the Facebook login.

The argument can be said that someone malicious could take control of one of my users' Facebook accounts and then use it access my application. Although that is true if they have control of a Facebook account my application would never know it's a malicious person so I don't see that as a valid criteria to use in determining if the account should be disabled.

Furthermore if a user is inactive and wants to become active again since it's Facebook login there really is no reason for them to go through some kind of reactivation process like confirming their email or changing their password.

I must be missing something here because it's certainly mentioned as a best practice to disable accounts but since my only login method is Facebook (OAuth) I can't come up with a valid reason to disable/delete inactive accounts.

Regarding other methods of unauthorized access I have security measures in place so I'd like to keep the answers relevant to the login method.

Please enlighten me if I've missed something.

Solution

  • If you have decided that your application needs to use Facebook authentication, then your system's identities will only be as traceable as Facebook's identity management permits. (And don't expect Facebook to help you by disabling / blocking users at their end ...)

    You need to design it accordingly:

    • Don't make any assumptions that users will behave properly.
    • Don't rely on login controls to keep out malicious users.
    • Put in your own (sufficient) defenses against malicious behavior into your own system.

    You are correct that disabling an account in your system won't achieve much if you also allow the user to (easily) reenable it. Given that it is easy to create (effectively) untraceable Facebook accounts, the chances are that a typical malicious actor will not just rely on old accounts. They may use a brand new account and connect from an IP address that you have never seen.

    There are some things that you could do though. For example, implement mechanisms to do the following:

    • Make sure that users simply cannot upload dangerous content (e.g. files with trojans, web content with dangerous links or scripts.
    • Allow administrative locking an existing account or OAuth identity,
    • Allow blocking of creation of accounts or access in from specified IP addresses or ranges,
    • Keep an audit trail so that you can watch the history of user behavior.