So Over SSO

Jul 07, 2013

technology software

One of the things that really irks me almost daily is the incessant use of SSO ¹ services such as Facebook, Twitter, and Google by external services. These are services whereby they do not require you to setup your own account on their system and, instead, ask you to sign in with an existing account through Twitter or any of the other authentication providers. This in turn is supposed to keep your authentication details private from external services.

I know a thing or two about SSO. I built one from scratch at UBC, providing centralized authentication to the entire campus. In this case, I enjoy the usage of SSO because one campus (or entity) should have exactly one way of authenticating someone. I do not agree with sharing the authentication details outside of an organization, no matter what the relationship.

My major painpoint with SSO is that provides an air of security to the common user, when the real problem is the user themself. Many people do not practice proper password safety, using a significantly strong password to evade any attacker. If someone is able to decrypt or guess a password, now that attacker has access to everything the SSO account is attached to. Maybe your Twitter account is attached to a couple blogging accounts, and a commenting account. Now they are all under the attacker's control.

To defeat this I have always created separate accounts on each system I use. Each account uses a different password, and each password is logged into a password wallet. I'm always surprised when I hear how poorly people store their password, usually using one of those sticky note applications built into an operating system. I realize that there is a balance that needs to be struck between ease of use and security, but in the day and age when most information is accessible over the Internet, I'll gladly jump through a few hurdles in order to protect my security.

Footnotes