Authenticating via other service providers
We currently support the following for signing in to Loco, and sharing basic profile data.
- Log in with Github
- Log in with Google
These services provide a faster way to sign up for Loco without waiting for an activation email. They also make logging back in to Loco more convenient when you're already logged in to the service provider.
Privacy and profile data sharing
As per our privacy policy we only use personal data obtained from these services in order to provide signing in and signing up as described here.
When signing up via one of these services your email address will be obtained from the service provider and used to uniquely identify you within Loco. It's mandatory to have at least one email address linked to your Loco account, but you can change it at any time and continue to use the single sign-on functionality.
Other profile data obtained from these service providers is limited to your full name, profile picture and language/regional preferences. This data is merged into your Loco user profile so we safeguard it just the same as if you'd given it directly to us. When logging back in via one of these services we may refresh your profile data. For example, if you changed your profile picture since you last logged in.
The visibility of this data to other parties is only as described in our privacy policy and will generally be more private than the same data is in your external profile. This is because we restrict the personal profile data that other users can see. See the section on account profile data.
You can edit all your Loco profile data at any time by clicking "Personal profile" from the "Account" menu in the top-right of your dashboard.
Security and passwords
If you sign up for Loco via one of these providers we will still ask you to set a Loco password. This is in case your external account becomes unavailable for some reason. Although we don't store passwords in clear text, we still recommend you choose a password that differs from the one you use with the third party.
You can change your Loco password at any time by clicking "Personal profile" from the "Account" menu in the top-right of your dashboard, and selecting the "Security" tab.
Access tokens
When a service provider grants us an access token to query your data we will store it. This is only for the same purposes as described here. For example, we may need a token in order to display your current profile picture. Depending on the service provider, access tokens may expire but will be refreshed each time you use the service to log in to Loco.
You can always revoke Loco's access to your external profile by removing it from Loco (described below), or directly with the service provider.
Two factor authentication
Logging in with one of these providers circumvents Loco's own 2FA (assuming you have it enabled). The reason for this is that security and authentication are being delegated to a third party in order to make it quicker and simpler to log in to Loco. We are trusting that your logged in state with the third party is secure, and that they offer similar (or better) multi-factor authentication methods.
Managing identities
If you already have a Loco account you can add external identities at any time. Click "Personal profile" from the "Account" menu in the top-right of your dashboard and select the "Security" tab. This shows a list of your currently connected profiles. Click "Add a new identity" to connect another of the providers listed here.
You can remove identities from your profile at any time, but this does not remove any data obtained from the provider and copied to your Loco profile (such as your name and email). Disconnecting the provider means that we can no longer access your external identity and you will no longer be able to log in with it. Be sure you know your Loco password to avoid locking yourself out.
If you want to fully remove the data obtained from an external identity you can delete or change this directly in your Loco profile.
What about SAML?
Corporate provisioning and seat management using SAML is on our roadmap, but is not yet supported.