What Is SSO, and Is It Really Safe? (2024)

If you’re a Google, Microsoft, or Apple customer, you’re used to logging in once to access every app from that provider. For example, if you’re using Gmail, you don’t need to log in separately for Google Drive. Single sign-on (normally written SSO) aims to make life easier, but how does it work?

What Is SSO?

From the user’s side, single sign-on is pretty simple. You sign in to one service and all related services unlock for you, too. So enter your credentials into your Windows laptop and all of Microsoft’s services are open to you. Some companies, like Google or Facebook, even let you use your credentials to log into other services that aren’t directly related.

Note, though, that you don’t confuse SSO with password managers. SSO replaces your credentials—more or less—while password managers keep your credentials in place but log you in automatically.

How Does SSO Work?

Normally, every service you use that requires you to log in will have a separate set of credentials, usually a username or email address and a password. When using SSO, your “main” service (let’s call it site A) will replace another service’s (site B) set of credentials with what’s called a token, a small digital information set.

Next time you log into site B, instead of typing in your username and password, instead site A’s token will log in for you. It all happens behind the scenes and is "seamless"; as a user, all you see is that you have one less step to complete. This sharing of tokens is sometimes referred to as a federated identity.

Under the hood, SSO works in a few different ways. It’s offered as a service by other companies, like Auth0 by Okta, so you can quickly set it up without having to deal too much with the tech. Alternatively, if somebody in an organization is savvy enough, SSO can be set up through protocols like Kerberos or SAML (which powers Auth0 and services like it).

Who Uses SSO?

In a way, everybody uses SSO in some form or another, including you. All Big Tech firms use it to make sure customers can access all their different services smoothly, without needing to constantly re-enter passwords. Google, Microsoft, Atlassian, the list goes on. If you’re working in a large corporation, chances are you use SSO too, as many companies like to use SSO on internal networks to make sure staff can switch smoothly between applications.

Does SSO Have Downsides?

At first glance, there aren’t many downsides to using SSO. After all, who doesn’t like seamless switching between apps? However, when using SSO, you’re reducing your security to a single point of failure: where there were many different passwords an attacker would have to crack, now there’s only one.

Worse yet, once an attacker has control of that account and its associated tokens, you lose control over all of them. After all, the token is the only way you can gain access to those accounts. There’s no way to reset your accounts, like if your password manager were breached. This is also why you should never take up Google and other firms to sign in for you.

Is SSO Safe?

While SSO is no doubt extremely convenient, we generally recommend not using it unless it’s unavoidable. Having all Google or Microsoft services under one roof makes perfect sense, but we wouldn’t tokenize our entire security net for the sake of convenience. If somebody were to crack your Google password, every single one of your linked accounts would be vulnerable.

Instead, we recommend you use one of the best password managers instead. They will give you the same seamless experience as SSO, and for more sites, but offer much greater security.