Why do I never use SSO?

Nowadays, most websites offer the option of logging in via Google, Facebook, Twitter, or other popular services. You can use one service to log in to other services. It's called SSO (single sign-on).

It's convenient. You are always logged in to your favourite service, and using it as a login method takes two clicks. You don't need to enter an e-mail and create a password. You also don't need to have hundreds of entries in your password manager either.

If the account you use for login has a good password and two-factor authentication, it can be safe to use it. Popular services usually have good security.

So why don't I recommend it?

# My data matters

Usually, to create an account, you need an e-mail and a password. When you use a social login, the service you use can share more data than you want, like location, interests, birthday, photos, and more. When you update the profile, all the websites where you use social login can get new data. In some cases, it can be convenient if you want the same data on different sites, but are you sure you want it? I would say e-mail and password are enough for about 80% of accounts I already have. I don't want to share more data if it's not required.

The SSO provider can also know what services I use.

# Blocked/deleted account

Every service you use can block or remove your account. What then? It means that you can't log in to other services. That doesn't sound good. Your account can be blocked for many reasons, and usually, it's not easy to unblock it, if at all possible. I don't know about you, but it's too much of a risk for me.

# Hacked account

What if the account or service you use to log in to other services gets hacked? If someone has access, they can log in to your other services. That's even worse than the blocked account.

# Deleting the service

Let's say you want to remove your Facebook account, or maybe Google decides to turn off their authentication service. It turns out that you used the service to log in to 200 other websites/services. Do you want to go to each one of them and update the authentication method? Do you remember them all? What if they don't have that option? I don't want to do that, never.

# What to use instead?

  1. Use a password manager like 1Password, Bitwarden, or KeePassXC and generate a unique password for each website. The password managers will create the password for you and autocomplete it next time, so you don't need to remember them. You have to remember only one password to the password manager account.
  2. Use two-factor authorization (2FA). You can use Google Authenticator, Authy, or 1Password. If the service you use supports it, it can increase security. You will need to provide your e-mail, password, and 2FA code. If a hacker steals your e-mail and password, he will still need the code from your application to log in.
  3. Use hardware authentication if possible. It's more secure and better than 2FA. The most popular option is the Yubikey. Instead of the 2FA code from your application, you need to put the Yubikey into USB (you can also use NFC). If someone has your e-mail and password, he can't log in without the Yubikey.

I use a password manager for all accounts and Yubikey/2FA where possible. If someone hacks one of the services I use, other services are not affected, and I know that it can steal only the data I provided. It also serves as a list of sites where I have accounts.