Basically, yes. Technically there is no other way. But Facebook has many content from outside (links, images, videos, etc) which will not be visible so it may seen that Facebook is broken. Also, when the user clicks on any link which leads to a domain name outside Facebook, the splash page will come up. So at the end people will get frustrated that they cannot use the internet the way they want, and will authenticate via Facebook. It’s free so they don’t take too much risk.

Other social networks, like Twitter don’t have this problem as they are using a different host for authentication functions and you can only allow that host, not the Twitter site.