Add single sign-on(SSO) section

[razac-elda]

Single sign-on is widely used and I think it is worth to explain what it is and discuss the advantages/disadvantages. Many times SSO is used within the same context like: social networks, development or Public Administrations.

[jonaharagon]

I'm not sure how we would address this, are you referring to public SSO providers like "Sign in with Apple", "Sign in with GitHub", etc., or private/enterprise SSO?

It could be worth noting that SSO could provide additional security if the SSO provider is more secure than the site you're signing into might be, but the privacy drawback would be having one central authenticator which has access to your other accounts and insight into when/where you sign in to them. I don't know where we would really address this topic on our site though.

[razac-elda]

Yes, I'm talking about public SSO providers. PrivacyGuides already describes account management(passwords, MFA) and SSO is part of that.

As you said some provider may be more secure than others but there are privacy issues, another thing to consider is using SSO for services owned by the same organization which will reduce complexity. I know people who only use SSO from Google or Facebook because they do not want to create passwords and that is a big privacy concern.

It could be a dedicated knowledge base or a section inside "Password Managers" recommendation.

[ph00lt0]

I don't think we should be recommending SSO. There are no good privacy friendly options here. They all add additional footprint. Security wise you may be right somewhat, however, if the website didn't implement security well, they may not do SSO well either. (I know the attack surface for that company would be lower). Generally people should use a password manager. If you do not your security will basically be terrible anyway. You should be using a password manager and let it generate your passwords, there is no excuse for not doing so.

[razac-elda]

I'm not saying we should recommend a SSO, just explain what the technology is and general info/concerns.

I do agree with you that a password based login system is what people should use, but there are situations where SSO makes more sense. For example, in my country we have a " Public Digital Identity System" for public administrations which allows you to use SSO for all gov servicies(some private ones too) and it's open source with high privacy standards. In this context having separate accounts would only add more complexity.

I know this example is only valid in my country but it demostrate that SSO is not something to ignore, it exists and people are using it without judgment.

[ph00lt0]

That surely is an interesting take on it, but I wonder what would you advise on it then? I guess if it's something the government provides for those cases you kinda have to use it no?

[razac-elda]

It is not mandatory and is still in the process of adoption, but it makes PA things easier. It's kinda pointless compare it with common websites SSO but it makes my idea of context easier to understand. Another example could be GitHub with other development tools, if I'm going to connect my GitHub account anyway then I might create an account with GitHub SSO directly.

My general opinion is that SSO in some context may be useful but we should not abuse it for everything or from anyone.