[yzmtf2008]

Think about a single-sign-on service: by definition, the service would have the ability to generate/access tokens that would grant a user access to other applications. Therefore, a breach in any kind of SSO service would result in granting access to people's information -- no decryption needed!

[vidarh]

That's true, but the SSO service itself can run on the users computer, so there is no need for the service to be able to decrypt the users data, only for it to be able to persist encrypted data.