Having to log into multiple websites can be a headache. You keep forgetting the passwords, and then you need to go through the lengthy process of resetting your password. That’s when a “Log in with Google” or “Log in with Facebook” seems like a solid option.
Yes, the single sign-on option offers you the convenience of continuing what you want to without a separate account and a new password to go with it. The single sign-on opportunities come with certain security benefits, but they aren’t a magic bullet to shoot down all the problems.
Big tech companies are offering SSO alternatives that provide many advantages. These companies develop the feature only after backing it up with solid security. However, let’s observe why these practices might not be the best privacy-wise.
The Drawbacks of Single Sign-in Options
Single sign-on options indeed offer a lot of conveniences, but there are some inherent drawbacks. Should something go wrong, you have a single point of failure to deal with.
You end up exposing all the accounts you log into if the login details of any one of the accounts you use for SSO are stolen. Besides, apart from trusting the companies offering SSO with your privacy and security, you must trust the third-party websites as well when it comes to their proper implementation.
You make yourself vulnerable to credential stuffing and phishers finding access to all the accounts you secured if they manage to breach the single go-to password you use. We suggest using a password manager that helps create strong passwords every time you need them to tackle this issue.
The Risks are Real
The risks involved aren’t imagined ones. In 2018 September, Facebook disclosed a massive data breach that had affected as many as 50 million users exposing what accounts they had logged into using the Facebook SSO. Facebook promptly invalidated the access tokens. The incident, however, underlines the ripple effects any consumer SSO breach can trigger.
Studies also noticed flaws in the implementation of consumer SSOs in 95 web and mobile services. It was found that a logged-in user could change the email address used to access an account without having to re-enter the password on quite a few sites. If you forgot to log out of any of your accounts on a library computer, opportunistic attackers could take over your account.
A similar situation would arise if a significant data breach leaked your Facebook access token. There were still other instances where a single sign-on was vulnerable to impersonation attacks launched by a hacker.
Issues with Account Recovery
Practical issues also crop up with many consumer SSO schemes concerning account recovery. You likely used Twitter to log into a platform where had stored some songs. Suppose that years later, you feel like retrieving those songs; you don’t quite know whether it’s Twitter or the site you have stored the songs on who should help you.
There’s a real-world instance as well. In August 2020, Epic, the gaming company, declared that Apple would discontinue signing into Epic with Apple. Apple dropped the Epic game Fortnite from its App store.
It then revokes its Apple developer program membership owing to disputes over in-game purchasing. Epic was forced to scramble to offer their users resources to replace their sign-in with Apple accounts with other log-in options to prevent permanent loss of access.
Use Two-Factor Authentication for Enhanced Security
Experts suggest using two-factor authentication wherever the option is available. That’ll make your accounts far more secure, making it harder for attackers to compromise. For instance, even if they will retrieve your password, they won’t access accounts without the additional token. As reported by Google, 2FA has significantly reduced account hacks.
Also, you need to ensure that you supply credentials to secure websites and safe networks. With website security, you can check whether there is a padlock next to the domain name. It proves that the website has the proper security measures. A Virtual Private Network can help safeguard against accidental leaks when it comes to networks.
Apart from hiding your IP address, the VPN also encrypts the data traveling between your device and the internet. Therefore, no one, including ISPs, can track you online or snoop on your data. The robust encryption protects you against shady network managers and hackers from capturing your credential due to unsafe connections. Furthermore, if you notice that you cannot access certain services and accounts on unknown networks, a VPN will help unblock websites. Such filtering is common with networks belonging to various institutions aiming to preserve bandwidth.
You may not have the time or energy to manage multiple passwords. Therefore, we suggest using a password manager and 2FA to boost your login security. It’s also wise to use a VPN to hide your IP address so none can track you online. A fundamental thing you should always adhere to is never reusing a password.