i don't think anyone would deny that third party logins are convenient -- either from the user perspective or from the developer perspective. but they are also a huge vector for privacy-invasive ad-profiling, if that's the login provider's business model.

I'd bet for the average user privacy impact of tracking is much less significant that the privacy impact of constant account compromises.

that is true, but that is virtually always because of password re-use. if you use a password manager and randomly-generated passwords unique to each service, this is almost entirely mitigated.

with a single third party login for all services, though, if that third party account gets compromised the results are catastrophic.

> with a single third party login for all services, though, if that third party account gets compromised the results are catastrophic.

The same can be said of the password manager account. It's turtles all the way down.

The fact that we rely on users to not reuse passwords, the fact that using a password manager is all but required to get reasonable security despite being far from convenient, these indicate a major failure to serve the actual needs of users, in my view.

Users have head space for 1-3 strong passwords. They can tolerate carrying maybe 1 security token with them. They can tolerate a little bit of security setup when using a new device for the first time, and they can tolerate a touch or fingerprint scan at authentication time. All authentication systems can and should operate within these parameters.

No web site or app outside of an authentication provider should ever present a user a screen asking them to pick a strong password that they have never used before. That is asking a user to do something that the human brain cannot reasonably do for 99% of the population. At best, a browser or password manager will intervene at that point and pick the password for them. At worst, the user ignores the warning and picks the same password they use for everything else.

> The same can be said of the password manager account. It's turtles all the way down.

What password manager account, what are you talking about? There is never any password manager account, yes, I have heard that some weird people are synchronizing their passwords to some strange 3rd party services but those don't matter. You have one password. Encryption password for login database and that one is local and never transmitted over the internet. If you know a password manager that provides this decryption password to their servers, please open the topic here and they will be bashed to hell for this.

I am a tad more strange, my password manager is synchronized with my sftp server using private key and I am not only randomizing the passwords for each site but also the email address (imagine sha(user+salt) + delimiter + sha(domain + master password)@mydomain.com). And I will never in my life use any SSO as they are mostly spyware designed for tracking users across the sites and certainly not for what they are advertised for. They will break with firefox latest addition? FINE! At least people will stop using them.

One thing are companies self hosted SSOs. Sure, I can trust those for company services. For anything else, like "login with google" or "login with facebook"? Yeah right, my hearth is jumping out of joy and barely waits to use it. It actually works in reverse, if you dont allow me to register using non SSO account (email, password) I wont use your service/webpage/whatever.

What about two-step verification via an Authenticator or SMS? Is that spyware? Or do you have a self-hosted solution for 2FA too?

> but they are also a huge vector for privacy-invasive ad-profiling

Do they actually do this? Also don't most of the big ones allow you to opt-out of personalized ads.

I like this because it's easier to have strong 2FA with backup codes on a few well protected accounts, than to do it for every tiny site.

With all respect, did you think of the consequences of you losing access to your login account?

This is a feature in corporate contexts.

a good password manager beats this hands down, for convenience, privacy, and security.

It doesn't for corporate usage... having to create accounts for every new employee on every service you use, and then remove those accounts when someone leaves is not scalable. Having SSO is needed.

I use 1Password (and the browser extension) for all my passwords, but I still choose "Sign-in with Google" when that's an option.

The "Sign-in with Google" button is makes it much quicker to create an account and slightly quicker to log in.

Also, I can rely on my Google 2FA rather than setting up and filling in a different TOTP for each site. Something like U2F or WebAuthn would make the filling-in part more convenient, but even sites that offer 2FA usually don't offer those. (And many sites don't even offer 2FA.)

Using 1Password's 2FA feature would make TOTP more convenient, but I'm a little nervous about putting 2FA in 1Password. This might be overly-conservative thinking, though.

I agree it can be super convenient, though 'Sign in with Google' is totally broken for me, because I've accumulated a handful of google accounts.

Every time I log in to a service, I have to guess which account it's associated with (bearing in mind I may have signed up years ago). And if I'm wrong, half the time it immediately attempts to create a new account, and then I'm stuck with a bunch of empty dummy accounts on various services.