Although you are using an online shop for the first time, you do not have to enter a user name or password: instead, the shop offers you the option of logging in via a social network or an e-commerce platform, for example. This procedure is called single sign-on.

Single sign-on means one-time registration. Others also call it registration or login via a third-party provider. The idea is that a central provider enables users to log in to several other services. It thereby takes over the task of verifying the identity of the user for all other services. Users then only have to enter their login data once and can afterwards access several services. Various providers offer this function, often including large technology groups.

This is convenient, but also makes users vulnerable. We explain what the procedure looks like, what risks users may run into and how they can at least reduce them

How does single sign-on work?

In practice, single sign-on can have many different faces. It can for example look like this: A user wants to shop on the internet. An online shop offers her to log in via a social network. It sends a request to the social network, for example with the user's email address. The social network checks whether the user is already logged in. If this is not the case, the user must authenticate herself to the social network: She enters her login data, for example her password. If it is correct, the social network confirms to the online shop that the user’s identity has been verified.

This information contains an electronic signature based on so-called asymmetric cryptographic algorithms. Thanks to this, the online shop can check whether the information received really comes from the social network. Only then is it classified as trustworthy. The user gains access to the online shop - even though she has not set or entered her own login data there, such as a user name and password.

Many applications also offer gradations of the single sign-on. An example of such a variant: Once logged in, a user does not have direct access to other applications that also participate in the procedure via the respective central service. Instead, when opening each application, he or she is asked again to log in to the selected central service. Such variants or gradations, which differ in details from single sign-on in its pure form, are also called reduced sign-on. What is important here is that the verification of the identity of users is also carried out by a single, central service. The security risks therefore remain the same.

Why can single sign-on compromise my security?

Risk no. 1: If the central account is hacked, all accounts are.

If cybercriminals gain access to the central account, they can also log into other applications. In this way, they take control of several accounts of a person and maximise their exploit. Sometimes they therefore specifically try to identify and attack an account that is used for single sign-on.

Recommendation: Two-factor authentication provides additional security. In this case, single sign-on eliminates the need to repeatedly enter different passwords. However, a second factor remains necessary - such as a fingerprint or a PIN sent via SMS or an authenticator app. It is also worthwhile using single sign-on only for a limited number of accounts. Sensitive applications should be excluded - such as the email account.

Risk no. 2: More data is collected and analysed than before.

Providers may exchange data about their users with each other or even store it in a central location. If unauthorised persons gain access to the collected data, they may learn a lot about the person concerned. This can benefit identity thieves, for example. The exchange of data can also have further consequences though: If, for example, a social network passes on data about a person to an online shop, the latter learns something about the person's preferences. The online shop can now use personalised advertising.

Recommendation: It is worth looking at the data protection regulations. Does the provider grant himself the right to exchange information with other participating services? Some providers also allow users to adjust the data protection settings. In addition, it makes sense to only use accounts from providers to whom you tend to give little information about yourself for single sign-on.

Logging in via a third-party provider is therefore associated with risks. Nevertheless, it can be convenient for users to need fewer login processes and passwords. For those who otherwise have trouble remembering different passwords, this may be a great relief. What is important though: The account used for single sign-on should have a strong password - and should ideally be doubly secured by two-factor authentication.