Why Password-based Single Sign-On is a Bad Idea

Written by

Major technology brands – including Apple, Google and Facebook – are vying to dominate the so-called “single sign-on” race. Simply stated, password-based single sign-on allows individuals to use their existing login and password credentials from one of these major multinational technology brands to access third-party sites. This saves consumers the time and effort required to come up with new logins for every online service they may access.

Ideally, this is meant to prevent the creation and use of weak passwords that are so often quickly created and then forgotten for “one and done” or infrequently used services.

These major multi-national technology brands (we’ll just refer to them as MMTBs moving forward) are leveraging consumer fears and fatigue about hacking to convince users to put their faith into their universal presence and overall reputation, despite lingering privacy concerns that might apply.

Essentially, they want those who’ve adopted and rely on their technological ubiquity to trust them as their go-to source for collective account security. But collective account security takes on new meaning in today’s digital transformation environment. Employees are constantly interacting with third-party applications and services using static credentials, both on and off the clock, and a compromise on one side could likely put personal and enterprise network/data security at risk on the other.

While some versions of single sign-on use biometric authentication, such as Face ID and Touch ID for Apple devices, they otherwise conform to traditional password-dependent single sign-on practices. This is why I think single sign-on with passwords is a bad idea. 

The MMTBs aren’t security companies. While at first glance this may appear obvious, your average user/employee is probably not taking into consideration that security and anti-fraud aren’t MMTB core offerings. Rather, this is a zero-sum game to sweep up as many users as possible while promising to deliver a simpler but safe experience. Yet, the promise rings hollow. Think about it: you wouldn’t go to a carpenter to get a root canal, why should you entrust the security of your enterprise’s network and critical data to the MMTBs?

Historically, security means less simplicity; The MMTBs don’t want the log in/password process to be “too secure.” A higher standard of security comes with the potential to create more digital friction and impact the end user experience. MMTBs would much prefer a simple single sign-on to a more vigilant approach that doesn’t depend on passwords as the first or only security factor, especially if it means users disengage in frustration or impatience and turn to the competition instead. In today’s unrelenting hacking environment, no business should feel comfortable trading security for easy access.

Password-based single sign-on greatly expands the attack surface. The problem with creating a single sign-on handling multiple web services’ static password credentials is that the experience focuses on easing login headaches, not the security of the brittle passwords, themselves. Passwords cached in a platform are still vulnerable to breaches at other organizations or being trafficked in the cybercrime underground.

One username and password combination for not only your MMTB account, but your bank, health provider, car/home insurer, etc., means hackers only have to break the code once to gain access to … well, pretty much everything. What’s more, it’s easier than ever to do this because… 

The “Forgot password?” option is a hacker’s best friend. If attempts to gain account access through the use of phishing emails, keyloggers or credential replay attacks fail, cyber-criminals have the option of simply clicking the “Forgot password?” button. Many of the typical question prompts to reset passwords (“What is your mother’s maiden name?,” “What was the name of your first pet?,” “What is your favorite movie?,” etc.), can be answered simply by calling up and perusing information available via targets’ social media accounts.

MMTBs are data-hungry. Once MMTBs have your information, they can do all sorts of things with it – and some of these things aren’t good. Twitter, for example, recently admitted that it used emails and phone numbers entered for two-factor authentication to target ads to users. While Twitter claimed this was inadvertent and quickly corrected course, this development illustrates how easily information can be misused, especially when new revenue streams can result.

The bottom line: it all comes down to trust. Password-based single sign-on alone doesn’t raise the bar – in fact, it lowers it. Passwords themselves are rapidly becoming passé. As long as they’ve existed, hackers have had an entry point to compromise accounts and networks, that’s why the security industry is working on the next generation of authentication tools to eliminate passwords entirely.

The MMTBs have demonstrated extraordinary innovation in development of search engines, hardware, social media, mobile tech, digital entertainment and countless other offerings. Yet, by clinging to this outmoded form of authentication, they reveal that they continue to remain a step or two behind from a security perspective.

Until they evolve beyond usernames and passwords as the first security factor – you probably don’t want to trust they’re ready to protect you.

What’s hot on Infosecurity Magazine?