Should You Stop Logging In Through Google And Facebook? Consider These Sso Risks Vs. Benefits

Uladzimir Zuyeu/iStock/Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET cardinal takeaways

• Many sites fto you motion successful pinch an existing login from user SSO providers.
• This attack results successful a perchance risky centralization of your credentials.
• Passkeys let you to compartmentalize credentials, but SSO has its advantages.

Here connected ZDNET, I've been penning a batch astir passkeys -- nan FIDO Alliance-backed passwordless replacement for accepted usernames and passwords. As acold arsenic I'm concerned, each organizations and users connected nan net cannot make nan move soon enough. However, I was reminded of really challenging and lengthy that modulation will beryllium (sadly, 10 years is my estimate) erstwhile I precocious encountered warnings to alteration my password for ChatGPT. 

Also: How passkeys work: The complete guideline to your inevitable passwordless future

That ill-informed proposal turned up successful my article provender erstwhile nan usability of ChatGPT -- OpenAI -- announced nan time earlier Thanksgiving that immoderate of its customer information had been breached by threat actors. Between watching my turkey cook and preparing my broadside dishes, I rushed to my machine to alteration my OpenAI password. Not a infinitesimal to suffer erstwhile you get frightened for illustration that, right?

There was only 1 awesome problem: While I person a login to OpenAI, I abruptly realized I didn't person an OpenAI password. 

Wait. What?! How is that possible? Now what do I do? And why do freaky method emergencies for illustration this ever hap astatine nan worst imaginable time? And what benignant of hypocrite americium I to beryllium recommending passkeys to everyone while not utilizing a passkey to log into ChatGPT? At that moment, I couldn't retrieve whether aliases not OpenAI was enabling users to authenticate to its generative AI services pinch a passkey. If it were, there'd beryllium nary request to alteration my password. After all, pinch passkey-based logins, breaches for illustration these shouldn't matter astatine all. 

(Disclosure: Ziff Davis, ZDNET's genitor company, revenge an April 2025 suit against OpenAI, alleging it infringed Ziff Davis copyrights successful training and operating its AI systems.)

As it turns out, OpenAI is 1 of those work operators that allows you to registry and log successful pinch your existing Apple, Google, aliases Microsoft ID. I mention to these services arsenic user azygous sign-on (SSO) services. (My building "consumer SSO" is intended to separate nationalist SSO services from nan azygous sign-on solutions galore companies usage to manage identity and access, specified arsenic Okta's Identity Cloud and Microsoft's Entra.)

Also: The champion VPN services (and really to take nan correct 1 for you)

With a azygous credential for illustration your Google ID and password, you tin log into hundreds of net services, making user SSOs incredibly convenient. Instead of dozens of logins for different services, you trust connected one. But now that passkeys are each nan rage, are user SSOs really a bully idea? Or is it clip to destruct them from your credential guidance strategy?

Moving to passkeys is simply a privilege for everyone

I judge we should beryllium moving to nan passkey modular for each our logins (and that website and app operators should do much to promote this transition). However, we're not location yet, and we won't beryllium location anytime soon. There are a batch of cooks successful nan passkey kitchen, and their conflicting interests, opinions, and behaviors are an impediment to speedy adoption. 

One of nan large ideas down passkeys is how, pinch nan thief of your chosen passkey authenticator (many of which are built into nan technologies we already use), you tin create a abstracted non-transferrable, non-guessable, and particularly non-phishable personification credential for each tract aliases exertion (collectively, "relying parties") that you use. 

Also: What is simply a passkey authenticator? Only nan cardinal to our passwordless tomorrow

In fact, dissimilar usernames and passwords, nan passkey modular allows for nan creation of aggregate credentials per website aliases app. In that scenario, you could person 1 passkey for logging into Shopify from your desktop machine and different passkey for logging successful from your smartphone. Although pinch syncable passkeys, wherever a azygous passkey tin beryllium synchronized to aggregate devices, location are less reasons to return this approach. 

Passkeys aren't simply an alternate measurement to authenticate pinch your favourite relying parties. Passkeys are astir each users raising their individual operational information (aka "secop") to a higher level, wherever nan likelihood of their credentials being compromised is reduced to nil, making nan net a overmuch safer operating environment. 

Unlike passwords, passkeys are virtually unstealable. The concealed portion of nan passkey -- known arsenic nan backstage key -- ever stays pinch nan personification and is ne'er shared. Passkeys are not held by immoderate relying parties (the measurement passwords are), and passkeys are astir decidedly not shared pinch threat actors during a phishing attempt. The objection would beryllium when a threat character steals nan beingness instrumentality connected which your passkeys are stored, successful which case, hopefully, your instrumentality protection champion practices person you covered. 

As it turns out, nan proposal to alteration your ChatGPT password arsenic a consequence of nan OpenAI information breach was bad advice. Passwords were not among nan fields of information that were compromised. However, I learned 2 different things astir my ChatGPT login during this process.

Uncovering SSO challenges

First, erstwhile I primitively decided to effort ChatGPT, I elected to motion up utilizing 1 of nan user azygous sign-on (SSO) options disposable to me. A user SSO work for illustration those offered by Google, Microsoft, and Apple (see nan ChatGPT screenshot below) makes it very accelerated and easy for extremity users to log successful to their favourite websites, arsenic agelong arsenic those sites make nan action available, without needing to create a abstracted group of credentials for each of those sites. 

SSO intends you motion successful to a azygous personality guidance service; from there, you are automatically granted entree to nan sites that support that service. As Google is 1 of nan SSOs supported by OpenAI, and I'm ever logged successful to my Google account, a dedicated username and password for ChatGPT were unnecessary. At slightest that was nan lawsuit erstwhile I first started utilizing ChatGPT. Now, erstwhile I sojourn ChatGPT, it simply checks to spot if I'm already logged successful to my Google account. Somewhat for illustration passkeys, it conveniently ne'er asks for a username aliases password.

Also: The champion VPN services for iPhone and iPad (yes, you request to usage one)

Second, I learned that erstwhile you elite to log successful to OpenAI's services pinch 1 of nan supported user SSO providers, that determination is -- unluckily -- irreversible. You can't alteration your mind and spell backmost to establishing a dedicated group of credentials. (The action is disposable to you erstwhile you first motion up, arsenic shown successful nan redboxed area successful nan partial screenshot below.)

OpenAI, nan supplier of nan ChatGPT generative AI service, gives users nan action to log successful pinch their existing Google, Apple, aliases Microsoft logins. 

Screenshot by David Berlind/ZDNET

Consumer SSOs person been astir since nan early 2000s, agelong earlier passkeys entered nan scene, which raises an important mobility (one that's highlighted by nan irreversibility of my prime to log successful to ChatGPT pinch my Google SSO). 

Is it clip for users to commencement rejecting user SSO options altogether? 

Recall that 1 of nan large ideas down passkeys is that you tin create 1 aliases much of them for each relying statement that you log successful to. This rule is nan antithesis of user SSOs, where, theoretically, you person a azygous credential to your favourite user SSO provider, and that lone credential logs you successful to each of your different sites.

Also: How I easy group up passkeys done my password head - and why you should too

In fairness, there's nary logic you couldn't person a azygous passkey that logs you successful to a user SSO, which successful move logs you successful to each of your different relying parties. In fact, since I usage a passkey to log successful to my Google account, it's a roundabout measurement of securing my ChatGPT relationship pinch a passkey. 

All 3 user SSOs supported by ChatGPT -- Apple, Google, and Microsoft -- support passkey-based authentication. And they should. They're nan 3 starring proponents of passkeys astatine the FIDO Alliance. But, honestly, a portion of nan passkey ethos is that you get to return individual power of your integer footprint. Why should immoderate user SSO supplier get to cognize truthful overmuch astir you?

I began to wonderment astir nan grade to which you could beryllium centralizing your consequence of discuss to your online accounts done user SSO. For example, if a username and password-based login is disposable to my user SSO relationship (even if passkeys are simultaneously supported), what would hap if a threat character gained entree to my SSO username and password? 

What if a threat character grabbed my Google username and password? Theoretically, if my Google relationship wasn't secured pinch multifactor authentication (MFA), that threat character could besides summation entree to my ChatGPT relationship (and immoderate different relationship secured via my Google SSO). This is not to propose that Google's SSO work aliases immoderate of nan different competing offerings are insecure.  

A information paradox

In hunt of an reply to this paradox, I consulted pinch immoderate cybersecurity professionals.

"You're correct that 'Sign successful pinch Google/Apple/etc.' centralizes risk," said Cory Michal, main information serviceman astatine SaaS information solution provider AppOmni. "If that superior relationship is compromised, nan blast radius is bigger because it whitethorn unlock aggregate downstream services. That's a interest for much security-savvy users who already usage a password head and unsocial credentials to support accounts compartmentalized." 

"That said," continued Michal, "for astir people, nan 'sign successful with' action is simply a nett information win. The realistic replacement for them isn't 'perfect password and MFA hygiene,' it's anemic aliases reused passwords dispersed crossed tons of sites pinch uneven security. Centralizing authentication pinch a awesome supplier for illustration Google intends you besides centralize defenses, beardown MFA, anomaly detection, and amended relationship monitoring. So 'Sign successful pinch Google + beardown MFA for illustration a Yubikey only connected that account' is often 1 of nan safer options we person today."

SquareX laminitis Vivek Ramachandran noted that "SSO has importantly improved personification acquisition by allowing users to easy motion up to aggregate web services." (SquareX discovers browser vulnerabilities and past provides guidance solutions to mitigate those risks.)

Also: The champion password managers: Expert tested

"However, this creates a azygous constituent of nonaccomplishment should an attacker get entree to nan user's [SSO provider] credentials. This consequence tin beryllium importantly remediated by enabling MFA to forestall attackers from logging successful to their [SSO provider] pinch those stolen credentials. The secondary 'password' that MFA provides is non-trivial to bargain arsenic astir of them are delivered retired of set via mobile devices (SMS), authenticator apps, aliases hardware information keys."

Michal and Ramachandran concur that arsenic agelong arsenic nan credentials to your SSO supplier are highly well-secured, relying connected user SSO services arsenic a intends to centrally log successful to your favourite sites and applications pinch those credentials tin work. However, nan cybersecurity constitution has soured connected nan thought of utilizing MFA codes (also known arsenic "timed one-time passwords" aliases TOTPs) that are transmitted via email aliases SMS. Neither transmission is considered secure, and moreover pinch TOTPs that are generated by apps for illustration Google Authenticator, users person mistakenly revealed their TOTPs to threat actors. 

I find that it's easier connected my encephalon if I do things nan aforesaid measurement for each relying party. For example, if I person site-specific credentials for 1 relying party, but SSO-based credentials for another, I will excessively easy suffer way of which of my sites and apps dangle connected SSO and which do not. Based connected what I've seen from astir password managers, it is not a item that is easy tracked aliases managed. 

For example, when, aft a agelong clip of not utilizing ChatGPT, I attempted to log successful pinch a username and password, my password head sprang to life, but had thing to connection successful nan measurement of usable credentials. Maybe it should person said "Enabled for Google SSO." At slightest then, I'd person immoderate thought of what to effort next. 

Also: I'm ditching passwords for passkeys for 1 logic - and it's not what you think

By sticking to nan aforesaid believe of utilizing dedicated credentials for each site, I'm assured that my password head will behave predictably each time. I won't person to second-guess what to do to log successful to definite sites, and I won't person to prime from aggregate user SSO providers, since different ones are supported by different sites (some sites don't support immoderate astatine all). As Michal intimated, this automatically contains immoderate imaginable blast radius successful nan arena of a compromise. I for illustration to compartmentalize (as Michal put it). There are nary downstream effects. 

But, arsenic soon arsenic I spell disconnected that playbook, I cognize I'll get myself into trouble. Which is why I wish OpenAI would springiness maine nan action to revert to a modular MFA-based credential (or moreover better, a passkey option) from nan original SSO predetermination that I initially chose. However, according to OpenAI, location are nary plans to connection that capability.