No company, be it a startup or a conglomerate, has a perfect security system. Chipotle's payment system was hacked, OneLogin experienced a data breach, and even Google had a run in with a bad phishing exploit that left thousands of accounts compromised from a shared document. In other words, I'm wary about giving any info to companies that don't have a track record of keeping it safe.
Image credit: fouseyboy
This is just to say all security is hard, and you should get into the habit of keeping your login information secure. Often that means not making a login in the first place. That's where single sign-on services come in. Not only are they more secure than a normal username and password combo, you'll have less login information to manage in the long run.
In short, single sign-on (SSO) services act as your username and password on supported websites, with your primary account (from Google, Facebook, Microsoft and so on) acting as your account.
One-Stop Security Check
Using a secure single sign-on service provided by Facebook, Google, Twitter or Microsoft — among others — provides a second level of security, more than you'll get from your run-of-the-mill site collecting user login data and storing it in less than ideal places, or with poor encryption standards.
Two-factor authentication is an added layer of security you should be using whenever possible. It prevents bad actors who gain access to your username and password from getting further into your account without a secondary form of identification — usually a text message from a phone or a randomly generated code from an authentication app.
If a site doesn't support two-factor authentication or single sign-on, be wary. Use a password manager (of course) to create a convoluted password, and if you're extra cautious, use a false email address (or one of the many email addresses provided by Gmail).
You Know What Data They Want
With single sign-on services, sites are required to tell you about the data they're taking and why. Just like installing an app may prompt you to give microphone or contact access to it, using a single sign-on service will prompt the site to request data such as your email or contact list, or the ability to post to social sites on your behalf, and usually let you accept or reject them.
Cut Them Off With a Click
The killer feature of using a single sign-on provider is the ease with which you can revoke access to data, usually with just a few clicks. Ever try to cancel an account on some humdrum site? For me it usually means deciding to cancel your account only to be taken to a support page on a forum that tells you cancelling your account means emailing the customer support team, creating a ticket, making sure it gets deleted, not logging in to double-check it's gone due to the chance you may reactivate it, and hoping your data is destroyed in a timely fashion (it usually isn't).
Yesterday, The New York Times went deep into some of Uber's shady business practices. In the article, one small section revealed that one service we've talked about extensively over the years, Unroll.me, has been mining and selling off your email data, and Uber used that data to gain intelligence on Lyft.
Of course, using a single sign-on service gives companies access to information they may not normally be privy to, but the convenience of managing your sign-ins from fewer locations coupled with the increased security you'll have when using single, secure sign-on services like Google or Facebook means you can more easily find and delete the offender.
No More Passwords
Your password manager is a great repository for storing passwords, personal information, and other bits of detritus you'd rather get out of your head (like your library card number).
Your password security is only as strong as its weakest link. If you don't keep your passwords up to date, or if you make the error of reusing them on multiple sites, you're creating security holes that could be easily filled with something like a password manager.
But the best part of throwing your hands up in defeat and using a single sign-on provider like Google or Facebook? No. More. Passwords! Well, you'll have to know your Google and Facebook passwords, but other than that, any site using your single sign-on system won't require you to create another string of text and numbers to remember (or remember to generate and save).
A single sign-on service isn't immune to attackers, of course. In addition to following steps outlined by your sign-on provider, you can further protect yourself from malicious attacks by using two-factor authentication, keeping your secondary contact information (like your alternate email) up to date, and having a hard copy backup code.