Single sign-on is a convenient option to sign in to food delivery apps or an e-shop, keeping in mind we love to reuse passwords. However, relying on Facebook or Google on each step we take online comes with its risks.
A while ago, hacker Twitter user Steve posted an example of signing in options he was presented with when trying to create an account. It shows you can sign in to a third-party website by using eight different logins - from Amazon to Google. He argued that if the user is given a raffle of buttons, someone will get phished.
Many online services, especially free or personalized ones, require you to register. Some people are just reusing the same passwords, and others choose to sign in with their Facebook or Google accounts. While this is convenient, cybersecurity experts frown upon this practice. CyberNews talked to some industry professionals to find out whether we should ditch single sign-on (SSO) practice altogether.
Logins have always been a critical security component, and there was a big push to unify them through SSO. Big tech players certainly simplified this experience for us. But do you trust them with all your accounts?
What’s the trade-off?
“For the average user, the use of these logins is great. They are simple and readily have enabled features that you might not see on every site with an independent login. Examples include two-factor authentication, history of use, where logins are coming from, and notifications of suspicious activity,” Ric Longenecker, CISO at Open Systems, told CyberNews.
There is a trade-off for this, however. You’re trusting all your logins to these companies, and you’re becoming more dependent on them.
“Additionally, they have further insight into some of your data and usage of different apps or sites across the internet. If you’re worried about privacy, this isn’t for you – although Apple claims to run the service in a way that is about as private as things can get,” he said.
Moreover, if you use single sign-on, messages and 2FA codes can appear on your lock screen without unlocking it, and if a malicious actor gets a hold of your phone - he has access to everything.
Overall, Longenecker thinks the trade-offs and extra features/security are suitable for most users. “Personally, I don’t use this for anything that I would want to keep more confidential or separate. Instead, I opt for a password manager and have a strict habit of recording and keeping track of all accounts,” he added.
Although they’re highly convenient, SSO authentication schemes present significant safety and privacy concerns, reckons Justin Lie, Founder & CEO at SHIELD.
“If you log into multiple websites using Google, you are relying on that organization to secure each of your accounts. But what if your Google account is compromised? SSO is a master key that opens many doors. If that key is lost, stolen, or duplicated, everything behind those doors is at risk. By using SSO, you are also letting these organizations know exactly which services and websites you use. This is already resulting in significant privacy concerns. When presented with an SSO option, it’s essential to balance convenience with security,” Lie said.
“A bad idea on so many levels”
"As far as I can tell, the ONLY pro to signing in with other accounts is user convenience, though, in my opinion, the real convenience is for cyberattackers, and any convenience gained for the user is washed away by the greatly increased likelihood of being impacted by cybercrime," Josh Eklow, Marketing Manager onShore Security, told CyberNews.
He had used this as a crutch sometimes when he logged into a site he doesn't plan to use often, but "it seems to be a bad idea on many many levels."
According to Eklow, while news of significant leaks like Twitch makes the news, some of those smaller sites being breached don't. And you might not even remember all the accounts that you registered for.
"Forgotten accounts are one thing, but this method of logging can also lead to unknowingly and accidentally creating an account. For example, with Medium, if you use any of those methods to log in and haven't done so before, it automatically makes a new account for you. Stel Valavanis (Eklow's colleague) had four Medium accounts, and I think three of them were created this way automatically. Now you have accounts that you didn't even realize you've created (and don't know you have to protect), ready to be taken over by hackers without your awareness," he explained.
The connection of the accounts also means that if one of your accounts is hacked, threat actors can get into other services.
"This method of logging in would also seem to make it easier for a user to be tracked across services, both by bad actors and those offering the services (especially on platforms like Twitter and Facebook where the user IS the product). This is certainly a privacy concern," he added.
The alternative is, of course, to use unique passwords for every account you create. That makes accounts quite useless. To remember all the complex passwords, you might want to consider using a good password manager. Eklow does not recommend web-based managers.
“Browser-based password managers may seem safe but rely on the same security as the email used to log in to things to protect the passwords. If your Google password becomes known, your browser password locker is owned (another reason not to use Google accounts to log into other sites)," he added.
Don’t reuse passwords
But the reality is that people reuse passwords constantly. According to the NordPass research, 63% of people reuse passwords. Moreover, three-quarters of the most popular passwords can be cracked instantly.
“Many individuals see it as the responsibility of businesses to keep their data safe. As such, single sign-on services offered by Facebook and Google have thrived as a popular way for people to manage their credentials without having to create or reuse passwords,” Matthew Gracey-McMinn, Head of Threat Research at Netacea, told CyberNews.
He explained that SSO services from Google and Facebook available on other websites work as a form of identity management. They don’t share your password with the website. Instead, they generate an authentication code that confirms your identity on Facebook and enables you access to the website. This means your credentials are safely stored with Facebook or Google rather than any other website which may not have as strong security practices in place.
However, neither Facebook nor Apple or any other big tech company is unhackable.
“If you’re completely reliant on Facebook or Google, you’re putting all your eggs in one basket. Even with all the security in the world, cybercriminals have been able to breach Facebook in the past and steal credentials. And then, of course, there’s the human element. Even without a large-scale breach or credential stuffing attack, cybercriminals can guess your Facebook or Google password through phishing attacks or social engineering methods and gain access to your account,” Gracey-McMinn explained.
Besides using good unique passwords and password managers, you can go passwordless.
“Passwordless solutions like decentralized and self-sovereign identity are even better because they offer stronger security and maintain privacy, unlike Facebook or Google, who will collect data on you and use it for ad targeting in exchange for keeping your credentials safe,” Gracey-McMinn said.
More from CyberNews:
Subscribe to our newsletter