If you’re drowning in website logins and constantly using Forgot My Password prompts to get into random accounts, a “Log In With Google” or “Log In With Facebook” button can look a lot like a lifeline. The services provide a quick way to continue whatever you’re doing without having to set up a whole account and choose a new password to guard it. But while these “single sign-on” tools are convenient, and do offer some security benefits, they’re not the panacea you might think.
The SSO schemes offered by big tech companies have some obvious advantages. For example, they’re developed and maintained by companies with the resources to bake in strong security features. Take Sign In With Apple, which lets you use TouchID or FaceID to log into any number of sites.
But for all its convenience, consumer SSO has some real drawbacks, too. It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed. And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.
“It’s a tough one,” says Wendy Knox Everette, senior security advisor at the risk management and security consulting firm Leviathan Security. “If people were really good about using single-site passwords, then maybe making one-off accounts on third-party sites would make more sense. But people reuse them. So for me it depends.”
If one of your go-to passwords is compromised, credential stuffers and phishers can access all the accounts you secured with that password. The best way to get around that is to use a password manager, which creates strong, secure passwords wherever you need them. (You can find our favorites here.) Like SSO, password managers can also become a single point of failure if an attacker takes over control of your devices or steals your unique master password. But unlike single sign-on setups, a password manager doesn’t require you to rely on multiple random entities across the web.
The inherent risks aren’t just hypothetical. In September 2018, Facebook disclosed a massive data breach that impacted at least 50 million of its users and, among other things, exposed any other account those people logged into using Facebook SSO. Facebook invalidated the access tokens as soon as it detected the breach, but the incident underscored the potential ripple effects of any consumer SSO breach.
A 2018 study also found numerous errors in how 95 web and mobile services implemented consumer SSO. On more than a dozen of the sites, a logged-in user could change the email address associated with the account without needing to reenter the password. If you accidentally left yourself logged into an account on a library computer, or your Facebook access token were to get leaked in a massive breach, attackers could opportunistically take control of your account. In other cases, the researchers found that many sites had implemented single sign-on such that they created the potential for a hacker to launch impersonation attacks.
“In general, I’m against consumer SSO schemes because they not only present a single point of failure, but because they also enable additional attacks that are not feasible with traditional password-based authentication,” says Jason Polakis, a researcher at the University of Illinois at Chicago and one of the authors of the study. “I feel that we are at a point where password managers have matured and are user-friendly enough for us to start educating users about them and pushing for their adoption.”