The truth about single sign-on (SSO)

Grace Roberts, 15 January 2021

SSO saves you headaches, but is it secure enough to hold all your secrets?

Do you ever “log in with Google” or “log in with Facebook” to access an account that’s not either of those two? If so, you have used single sign-on (SSO), and you probably chose that option because it saved you from having to create and remember yet another password for yet another account. That’s precisely the point of SSO — it’s a remedy for password fatigue. 

The history of SSO

According to Forbes, SSO was invented in the late 1980’s as an identity and access management system (IAM) to help companies and government agencies consolidate all their employees’ login credentials into a single infrastructure. The workforce was beginning to go digital, and employers quickly saw a problem when their workers started keeping track of their multiple passwords on post-in notes around their desks. 

SSO simplified the process tremendously. Not only did it provide the convenience of a single authentication that unlocked multiple applications, but the reverse was also true – it was a one-stop shop to revoke all the privileges of an employee leaving the company. This was especially helpful to large enterprises where workers used dozens of applications. 

Today, people are juggling more passwords than ever, and SSO options have become ubiquitous. Users like to choose SSO because it’s less of a headache, and websites like to offer SSO because it reduces user friction, the degree of effort a user must put forth to access a site or app. 

The convenience of SSO is plain to see — but how secure is it? Some worry that SSO is vulnerable because, while brilliantly convenient, it is also all-inclusive of your online secrets. If one bad actor gets your SSO credentials, your entire digital life opens to them. Additionally, privacy advocates note that by using Google or Facebook to log into a third-party site, it provides those internet giants with more of your metadata and digital footprint

FIDO's role in SSO

Enter the FIDO Alliance, an open industry association made up of over 200 companies and government agencies with a mission to “solve the world’s password problem.” The group’s website claims that passwords are the root cause of over 80% of data breaches. Its solution? Get rid of the passwords. 

FIDO developed an SSO that uses password-less authentication. Instead of a typed credential, it relies on biometrics like your fingerprint, your face, or your voice. It also offers second-factor authentication in the form of a security key that you plug into your device or computer. These methods mitigate many hacking tricks like credential stuffing, dictionary attacks, keystroke logging, and more. FIDO realized that the best way to authenticate a person is to use the actual person instead of an alphanumeric code that anyone could enter. 

As we move forward, this technology is only going to get more sophisticated. As we give hackers less opportunity to spoof our identities, we gain more control over our digital lives. For now, if you still use passwords, make sure you’re not reusing any across multiple accounts. And if you use SSO, protect that all-important authentication with two-step or multi-step verification.

Related articles