By now you’ve most likely heard about the Facebook security breach that allowed hackers to not only take over the accounts of at least 50 million users, but also access third-party websites those users logged into with their Facebook credentials.
The service that got compromised is an authentication process called “single sign-on” that allows a user to access multiple applications with one set of login credentials (see below). This seems like a good idea until the outfit trusted with the “single” part gets hacked — And that’s what happened to Facebook. As an article in The New York Times points out, single sign-on may not be such a great thing after all.
The codebase of these services [Facebook] is massive. You have different teams working on different components, and they can interplay in different ways, and you can have a crazy hack that no one expects.
— Jason Polakis / Computer Scientist at the University of Illinois at Chicago
Why You Shouldn’t Use Facebook to Log In to Other Sites
This is a classic you-had-one-job situation. Like a trusty superintendent in a Brooklyn walk-up, Facebook offered to carry keys for every lock online. The arrangement was convenient — the super was always right there, at the push of a button. It was also more secure than creating and remembering dozens of passwords for different sites. Facebook had a financial and reputational incentive to hire the best security people to protect your keys; tons of small sites online don’t — and if they got hacked and if you reused your passwords elsewhere, you were hosed.
But the extensive hack vaporizes those arguments. If the entity with which you trusted your keys loses your keys, you take your keys elsewhere. And there are many more-secure and just-as-convenient ways to sign on to things online …
What is single sign-on?
As the name suggests, single sign-on (SSO) is an authentication service that permits a user to access multiple applications with one set of login credentials (username and password). This allows the user easy access to all included systems and eliminates further login prompts when the user switches applications during the same session. SSO is common in large companies, where hundreds of employees must access multiple resources connected to a local network.