Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere

WIRED

Illustration: Elena Lacey

If you’re drowning in website logins and constantly using Forgot My Password prompts to get into random accounts, a “Log In With Google” or “Log In With Facebook” button can look a lot like a lifeline. The services provide a quick way to continue whatever you’re doing without having to set up a whole account and choose a new password to guard it. But while these “single sign-on” tools are convenient, and do offer some security benefits, they’re not the panacea you might think.

The SSO schemes offered by big tech companies have some obvious advantages. For example, they’re developed and maintained by companies with the resources to bake in strong security features. Take Sign In With Apple, which lets you use TouchID or FaceID to log into any number of sites.

But for all its convenience, consumer SSO has some real drawbacks, too. It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed. And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.

Full article