[woodrowbarlow]

that is true, but that is virtually always because of password re-use. if you use a password manager and randomly-generated passwords unique to each service, this is almost entirely mitigated.

with a single third party login for all services, though, if that third party account gets compromised the results are catastrophic.

[haberman]

> with a single third party login for all services, though, if that third party account gets compromised the results are catastrophic.

The same can be said of the password manager account. It's turtles all the way down.

The fact that we rely on users to not reuse passwords, the fact that using a password manager is all but required to get reasonable security despite being far from convenient, these indicate a major failure to serve the actual needs of users, in my view.

Users have head space for 1-3 strong passwords. They can tolerate carrying maybe 1 security token with them. They can tolerate a little bit of security setup when using a new device for the first time, and they can tolerate a touch or fingerprint scan at authentication time. All authentication systems can and should operate within these parameters.

No web site or app outside of an authentication provider should ever present a user a screen asking them to pick a strong password that they have never used before. That is asking a user to do something that the human brain cannot reasonably do for 99% of the population. At best, a browser or password manager will intervene at that point and pick the password for them. At worst, the user ignores the warning and picks the same password they use for everything else.

[stiray]

> The same can be said of the password manager account. It's turtles all the way down.

What password manager account, what are you talking about? There is never any password manager account, yes, I have heard that some weird people are synchronizing their passwords to some strange 3rd party services but those don't matter. You have one password. Encryption password for login database and that one is local and never transmitted over the internet. If you know a password manager that provides this decryption password to their servers, please open the topic here and they will be bashed to hell for this.

I am a tad more strange, my password manager is synchronized with my sftp server using private key and I am not only randomizing the passwords for each site but also the email address (imagine sha(user+salt) + delimiter + sha(domain + master password)@mydomain.com). And I will never in my life use any SSO as they are mostly spyware designed for tracking users across the sites and certainly not for what they are advertised for. They will break with firefox latest addition? FINE! At least people will stop using them.

One thing are companies self hosted SSOs. Sure, I can trust those for company services. For anything else, like "login with google" or "login with facebook"? Yeah right, my hearth is jumping out of joy and barely waits to use it. It actually works in reverse, if you dont allow me to register using non SSO account (email, password) I wont use your service/webpage/whatever.

[XCSme]

What about two-step verification via an Authenticator or SMS? Is that spyware? Or do you have a self-hosted solution for 2FA too?