ITCOMO

Single Sign On


Single Sign On (SSO) is a decades-old security architecture whereby users may access multiple, possibly disparate resources, without having to sign into each one individually. It's widely used in corporate, education, and government environments as a convenience for administrators and users alike.

That sounds pretty neat, doesn't it?

And it is pretty neat -- in a controlled setting, like those described above, where user permissions are managed by the admins that run all the systems their users are able to access.

Over the last few years, we've seen third party login (consumer-level SSO) services offered to consumers by Google, Apple, Microsoft, and and several other companies. But is it a good idea to use them?

Let discuss all that.

{{brizy_dc_image_alt imageSrc=


The term SSO is more of an umbrella term which labels this idea of having a single authenticator verifying access to multiple resources. In the consumer space, it's not really called SSO. It goes by other names like "Identity Provider" (IdP) or sometimes "third party login".

But the pros and cons that I discuss below really applies to the entire concept of SSO, not just in the consumer space, so I'll be using that term.

How does SSO work?

a non-geek answer

When you sign-up and later access some random site or app (like a parking payment app) using an SSO provider, like Google, then what you are doing is using Google as the authenticator for that parking app. The sign up and and subsequent sign in process is being outsourced by the parking app to Google.

When you visit that site or app and login using Google SSO, the login itself takes place on Google's servers. Upon successful user validation, the SSO server sends a cryptographically signed "ok to proceed" message to the site using an API. You are then allowed access.

Many sites and apps like this arrangement because they can offload the responsibility for safely maintaining and verifying your credentials to someone else -- Google, in this case. That saves them money and the security headaches that come with credential management.

Without SSO, every last site and app that have user accounts would need to do all that work themselves. Obviously they'd rather not if they didn't have to. And with Google, Apple, and Microsoft (the three main SSO providers), they don't have to (as much). It's generally free to the developer for most consumer-facing apps. That's why we're seeing SSO sign-up options more often today.

To clarify, nearly all sites and apps needing user accounts are already handling this task. I'm not personally aware of any site or app that totally offloads user authentication to an SSO provider. But even partially offloading user authentication can be a big convenience for the app developers.

Pros and Cons of SSO


Here's some pros to SSO

Quicker, "one-click" account creation for a new account on a site without having to go through a full-sized setup where you provide an email address, think up a unique password then save it, verify yourself by entering a code sent to your phone or email, etc.

e.g. You're standing at a parking meter in freezing weather and realize you don't have enough coins to feed the meter. So, only now, you install the parking app used by your city. It would be mighty convenient to create an account using Apple SSO (assuming an iPhone) to create an account which also ties into your Apple Pay. A few clicks later and you're done. Compare that to a full sized account creation, typing in all the usual stuff, on a tiny phone screen with frozen fingers, verifying yourself, then adding a credit card, etc. What a PITA. I know which one I'd do!

Possibly not having to reenter credentials when accessing that account again later on, as long as you're already authenticated by your SSO provider.

Major SSO providers generally offer multiple, robust authentication mechanisms that other, minor websites might not, like MFA, passkeys, etc. As long as that minor site supports your SSO provider, they inherit their superior authentication capabilities at (probably) no additional expense.

Here's some cons to SSO

If your SSO provider is compromised, the potential blast radius is much larger. Bad actors could gain access to all downstream sites and services for which you chose to use that SSO. It'd be like a super losing the master key to their entire apartment building.

Instead, by having a unique password for each site then you are far better compartmentalized, limiting the scope of damage. This is more like the super having a protected key locker in their office, only removing the exact key they need to the apartment that needs service.

Major SSO providers are Google, Apple, Microsoft, Facebook, and several others. These tech companies aren't offering SSO from the goodness of their warm corporate hearts. Their prime motivation is engagement and entanglement. That basically means getting you hooked (engagement) and making it difficult to leave (entanglement) later on if you wanted to. Some downstream providers may possibly not even offer a way to convert over to a traditional old-school authentication method (dedicated username and password), in which case you'd be well and truly stuck.

If your SSO provider locks you out for whatever reason, legitimate or not, you could lose access to all downstream sites and services for which you chose to use that SSO. Google, Facebook, and others, are known to permanently lock out accounts if they catch the slightest whiff of fraud, true or not, and regaining access is basically impossible. At the very least, you'd have use the individual account recovery features of each downstream account which, by their very nature, are difficult to satisfy.

BOLO


An increasing number of sites today offer SSO on their sign-up screens. You'll know it's being pitched to you when you see verbiage like "Sign up using your Google account" and similar wording for Apple, Microsoft, possibly Meta, and others. Your last choice is generally "Sign up using your email address".


Be very careful here as many people choose the SSO method, especially Google, not fully understanding what is really happening.


First of all, the SSO choices are often shown first and more prominently, above the old-school "sign up using your email address" (or similar wording). That's a Dark Pattern.


Pay close attention. To a non-geek, "Sign up using your Google account" or "Continue with Google" sounds a lot like "Sign up using your email address" especially if your email address ends with @gmail.com as so many personal emails do today. A lot of people have stumbled into making an unintended choice without knowing what's really going on.

So here's what's going on:


"Sign up using your Google account" or "Continue with Google" -- This makes Google your SSO provider for this site or app. When you log in later, the site/app will redirect you to Google, and they will confirm your identity. You are tying this site/app account to that specific Google account. If you lose access to that Google account, regaining access to this site/app may become difficult or impossible.


"Sign up using your email address" -- This creates an account directly on the site/app itself, without using SSO. You choose an email address and password, and the site/app handles authentication on its own. It doesn't matter whether your email ends in gmail.com, outlook.com, yahoo.com, or anything else. The site is not delegating login to Google or any other provider.

Final Comments

If you follow good password hygiene then I generally lean against using SSO providers in most cases. That parking app might be an exception where the situational convenience outweighs the risks.

"Don't put all your eggs in one basket" the old saying goes. Segmentation is a component of good security practices.