The assistance provides a fast way to proceed whatever you’re doing without having to set up a full account and pick a new password to secure it. But while these “single sign-on” tools are helpful and offer some protection benefits, they’re not the remedy you might think.
The SSO systems given by big tech companies have some obvious advantages. For instance, companies developed and managed by businesses with the resources to bake in robust security features. Take Sign In With Apple, which lets you utilize TouchID or FaceID to log into any sites.
However, for all its usefulness, user SSO has some real disadvantages, too. It forms a single point of failure if anything goes wrong. If your password or access token gets taken from an account you use for SSO, all the other sites you utilized to log in with could be imperiled. And not only does a user has to trust the companies that allow SSO to preserve their privacy and security, but he also has to include all the third-party websites implementing these options to perform them correctly.
Wendy Knox Everette, the senior security advisor at the risk management and security consulting firm Leviathan Security, says it’s a tough one. If users were keen on using single-site passwords, making one-off accounts on third-party sites would give more sense. But users reuse them. So for her, it depends.
The inherent risks aren’t just theoretical
If one of the client go-to passwords is endangered, credential stuffers and phishers can enter all the accounts user has secured with the same password. The most reliable way to get around that is to apply a password manager, which generates strong, reliable passwords wherever the user needs them. Like SSO, password administrators can also display a single point of failure if an intruder takes over control of the devices or steals a unique master password. However, unlike free sign-on set-ups, a password manager doesn’t demand the user to rely on multiple random entities across the web.
In September 2018, Facebook revealed a massive data breach that affected at least 50 million of its users and, amongst other things, imperiled any different account those people logged into using Facebook SSO. Facebook revoked the access tokens as soon as it detected the violation, but the incident marked any consumer SSO breach’s potential ripple effects.
A 2018 study also discovered various errors in how 95 web and mobile services performed consumer SSO. A logged-in user could edit the email address associated with the account on more than a dozen sites without needing to reenter the password. If you accidentally left yourself logged into an account on a library computer or your Facebook access token were to get leaked in a colossal breach, intruders could opportunistically take control of your account. In other circumstances, the researchers found that multiple sites had performed single sign-on such that they produced the potential for a hacker to launch impersonation attacks.