So-called single sign-on options offer a lot of convenience. But they have downsides that a good old fashioned password manager doesn’t.
The inherent risks aren’t just hypothetical.
If you’re drowning in website logins and constantly using Forgot My Password prompts to get into random accounts, a “Log In With Google” or “Log In With Facebook” button can look a lot like a lifeline. The services provide a quick way to continue whatever you’re doing without having to set up a whole account and choose a new password to guard it. But while these “single sign-on” tools are convenient, and do offer some security benefits, they’re not the panacea you might think.
The SSO schemes offered by big tech companies have some obvious advantages. For example, they’re developed and maintained by companies with the resources to bake in strong security features. Take Sign In With Apple, which lets you use TouchID or FaceID to log into any number of sites.
But for all its convenience, consumer SSO has some real drawbacks, too. It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed. And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.
“It’s a tough one,” says Wendy Knox Everette, senior security advisor at the risk management and security consulting firm Leviathan Security. “If people were really good about using single-site passwords, then maybe making one-off accounts on third-party sites would make more sense. But people reuse them. So for me it depends.”
If one of your go-to passwords is compromised, credential stuffers and phishers can access all the accounts you secured with that password. The best way to get around that is to use a password manager, which creates strong, secure passwords wherever you need them. (You can find our favorites here.) Like SSO, password managers can also become a single point of failure if an attacker takes over control of your devices or steals your unique master password. But unlike single sign-on setups, a password manager doesn’t require you to rely on multiple random entities across the web.
The inherent risks aren’t just hypothetical. In September 2018, Facebook disclosed a massive data breach that impacted at least 50 million of its users and, among other things, exposed any other account those people logged into using Facebook SSO. Facebook invalidated the access tokens as soon as it detected the breach, but the incident underscored the potential ripple effects of any consumer SSO breach.
A 2018 study also found numerous errors in how 95 web and mobile services implemented consumer SSO. On more than a dozen of the sites, a logged-in user could change the email address associated with the account without needing to reenter the password. If you accidentally left yourself logged into an account on a library computer, or your Facebook access token were to get leaked in a massive breach, attackers could opportunistically take control of your account. In other cases, the researchers found that many sites had implemented single sign-on such that they created the potential for a hacker to launch impersonation attacks.
“In general, I’m against consumer SSO schemes because they not only present a single point of failure, but because they also enable additional attacks that are not feasible with traditional password-based authentication,” says Jason Polakis, a researcher at the University of Illinois at Chicago and one of the authors of the study. “I feel that we are at a point where password managers have matured and are user-friendly enough for us to start educating users about them and pushing for their adoption.”
Many consumer SSO schemes also present practical issues with account recovery. If you use Twitter to log into, say, a photo storage platform and years later lose track of your Twitter account, it’s difficult to know whether Twitter or the photo site is responsible for helping you troubleshoot. There may not be a way to restore access to your photos.
A real-world example of this came up earlier this month when the gaming company Epic warned that Apple was going to revoke Epic’s ability to offer Sign In With Apple. Apple booted Epic’s Fortnite game from the App Store in August and then cut the company’s Apple developer program membership over in-game purchasing disputes. Epic scrambled to offer resources for users to transfer their Sign In With Apple accounts to other login mechanisms so they wouldn’t permanently lose access. Ultimately, Apple extended Epic’s Sign In With Apple support and says it never intended to revoke it, but the incident highlighted the downsides of introducing a third party into account access.
For the average web user it may feel like there are a daunting number of factors in the choice of committing to a password manager versus using SSO. Either way, using two-factor authentication everywhere it’s offered will make your accounts more secure and much harder for attackers to phish—whether you’re adding a second authentication factor to individual accounts or to a high-value account that you use for single sign-on.
“It is impossible to be certain one is better than the other, because we can’t know all the details about how companies internally manage your credentials,” says Teri Radichel, CEO of the cloud security firm 2nd Sight Lab. “Additionally, each home user may have a more or less secure home network, and different password managers may be more or less secure. I choose not to count on any single source for all my password management.”
If you don’t have the time or energy to devote to worrying about the nuances, though, much less managing different passwords different ways, a password manager is a one-stop solution that’s always helpful—whether a certain site offers SSO or not. The one thing everyone can agree on? Don’t reuse passwords. Just don’t.
All Rights Reserved for Lily Hay Newman