User authentication presents a number of problems for web developers. As the web has become richer, moving from static sites to interactive services, the need for identifying users has become prevalent. In theory, the problem is not a difficult one to solve: the user presents an identifying token, a username, for example, and a shared secret such as a password, which are matched against entries in a user database. Unfortunately, in practice, there’s a lot that can go wrong, from insecure transmission of tokens to the database breaches we hear about all too often. In fact, many security experts advise against sites attempting to implement their own authentication procedures if it can be avoided. There is too much at stake and the chances of making a mistake are too high to risk it.
Single sign-on services offer an alternative to self-designed log-in systems. Anyone with a social media account is familiar with how single sign-on services work. In that case, the social media platform acts as the identity provider, verifying the identity of signed-on users for the service provider. Single sign-on provides a number of benefits, but it isn’t an unproblematic authentication mechanism.
The Benefits Of Single Sign-On
The obvious benefit to developers of using a single sign-on service is that they merely have to implement code to link their service to to the authentication provider’s service, Facebook Connect, for example. That process is much less complex and time-intensive than building an authentication system from scratch. It’s also much less likely to result in a flawed authentication system: Facebook and the other SSO providers are likely to have significantly more resources to invest in getting it right than the average web service startup. An additional advantage is that web services don’t have to provide their own support for lost or forgotten usernames and passwords.
Many of the other benefits are from the user’s perspective, including:
No need to manage large numbers of passwords.
A simpler sign-up and login process, which can also be good for conversions.
Reduced exposure to the risks of data loss. Users already trust the identity provider.
The Disadvantages Of Single Sign-On
The major difficulties with single sign-on service should be apparent.
Sites will be giving away their user data to a third-party provider. For some sites that will not be an important consideration, but some may have a problem with handing over their user data to another company.
By choosing the right identity provider, a company can ensure that they cover a significant subset of their potential users, but that will by no means cover everyone, leaving the option of implementing an additional authentication system, which is what they were trying to avoid, or implementing as many SSO services as they feel necessary, which largely negates the simplicity benefits for users.
There is a single point of failure. If the SSO provider goes down, a site’s users will be unable to authenticate. If the SSO provider is hacked or breached, data loss may occur SSO providers are a very juicy target for hackers, although they are also likely to have much better security than the average site.
SSO is likely to be more secure than implementing a home-grown authentication mechanism, but in some cases the disadvantages of relying on a third-party are overwhelming. Given the obvious benefits, perhaps the use of SSO services should be the default option for most web developers, with self-implementation only being considered when it’s unavoidable.