How Safe are the Top SSO Solutions?

By Evan Walters-Zucco

June 16, 2021

Single Sign-On solutions (SSOs) have become increasingly popular as concerns over cybersecurity and online privacy continue to grow. SSOs simplify the login process by eliminating the need for passwords. They generally increase security and protect user privacy as cybercriminals typically target usernames and passwords. Consequently, every time someone logs into a new account, a new opportunity for an attack is possible. SSOs naturally reduce the likelihood of these attacks as they reduce the necessity for multiple usernames and passwords. This, coupled with the fact that approximately 53% of people admit to using the same password for multiple accounts, shows SSOs are not only safer but more convenient. Most people are oblivious to the dangers of using the same password or even weak passwords, and some simply view the task as too arduous. As a result, the SSO industry as a whole is expected to grow at a compound annual growth rate of 13.7% from 2021 to 2027. Although significant growth is often coupled with high-quality products, it is important to know what and who you are trusting your data with. This becomes even more important as SSOs have become the target for many cybercriminals due to their centralized nature. 

How Safe is OAuth?

OAuth is an open-standard authorization framework that details how unrelated servers or services can enable safe authentication to their servers or services without sharing the original logon credentials. OAuth is a great time saver as it enables a significantly lower amount of usernames and passwords needed to log in to various places. The workflow for OAuth functions as so; first, the user requests a login. Then the user chooses a third-party authorization credential to use. Next, the authorization server creates an access token, and that’s sent to the resource server. Finally, after verifying the token, the resource server grants access. Such tokens are always encoded but are rarely encrypted. Despite having multiple steps, the process is extremely quick and much easier than remembering more usernames and passwords. 

You have most likely seen OAuth while logging into a website using a different website’s login. For instance, if you want to read The New York Times, you can log into the site using Google, Facebook, or Apple. Consequently, OAuth has been strongly supported by companies such as Twitter, Google, and many others. Generally, OAuth is used for broad internet browsing. This is where some of the initial concerns regarding OAuth arise. Privacy concerns are amongst the first to come up, specifically with Google and Facebook. The concern is that the more websites you access using Facebook and Google, the more they will know about you. This is known as data mining, the extraction of user data in order to predict outcomes to increase profits. This segues into the next concern; if Facebook or Google were to have a data breach, tons of information would be at stake since these companies collect so much. This is rooted in reality as both Google and Facebook have had large data breaches. Facebook recently had one in April where data from 533 million people in 106 countries was published on a hacking forum. Google, likewise, has had multiple large data breaches, with a notable breach in 2018. In this breach, 438 applications had access to the unauthorized Google+ data. While large data breaches are not a regular occurrence, it is definitely something to be mindful of when deciding who to trust with your data.

How Safe is SAML?

Security Assertion Markup Language (SAML) is “an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).” SAML provides a solution that separates your identity provider and your service provider. This centralizes user management and provides access to SaaS solutions. Instead of sharing credentials, SAML enables communications between the identity providers and service providers using encrypted, digitally signed XML certificates. Similar to OAuth, SAML improves user experience by saving time with fewer passwords and usernames. With SAML, users only need to sign in once to access multiple different services. SAML works by first signing into the SSO. The user then tries to access a site. This prompts the service provider to check the user’s credentials with the identity provider. The identity provider then sends authorization back to the service provider and the user is granted access to the website. 

SAML is more complicated than OAuth, which has its pros and cons. Unlike OAuth, SAML is more complicated to install and use. SAML is also limited to websites and web applications. It is also possible to improperly implement SAML, which causes numerous problems, including security problems.  For example, in 2018, some 85 vulnerabilities were reported. Ultimately, SAML is overly complex and has a poor history of security, making it difficult to recommend. 

humanID’s Solution

humanID optimizes security and accessibility with its SSOs. humanID is a one-click, anonymous login solution that secures the user’s privacy and anonymity while simultaneously preventing spam and bot misinformation. This is done by humanID’s unique approach of utilizing the user’s SIM card to create a unique ID. Each user is also assigned a nonreversible, hashed identifier. The user’s phone number is used as the irreversible, hashed identifier, allowing for humanID to verify the user’s credentials from numerous applications while preventing the creation of spam accounts. In addition, humanID further ensures privacy and security by deleting the user’s data upon authentication. Unlike most other solutions, humanID has two levels of hashing to ensure privacy and security. First, the user’s phone number is hashed and then instantly deleted. After the first hash, the salted hash is then stored as the username for the specific applications login. By having distinct hashes for each application, humanID is able to safeguard their information while allowing access to multiple platforms. humanID not only saves time by eliminating usernames and passwords but also provides extra security with privacy. With two hashes, humanID differentiates itself from other SSOs. This makes humanID less susceptible to data breaches that have occurred with other SSOs. Most importantly, humanID has actual case studies to back up their technology. We are successfully being used in a Japanese whistleblowing app Ninja Anon, a free speech site, and a rights-based app GreenZone. With a very easy-to-use interface, humanID ensures user convenience along with heightened privacy.