Curious if anyone else finds it increasingly difficult to play "SSO roulette" when logging into the long tail of infrequently-used services: did I use GitHub? Facebook? G Suite? Twitter? Or the secondary problem: "if I used Google SSO, which of my gmail accounts did I use?"<p>I definitely have my own heuristics (g suite for everything possible, github for "technical" sites, facebook as a throwaway, etc), but I've found myself increasingly "getting it wrong." Not to mention this is worsened by the fact that some sites automatically create a new account for you if you log in with a non-existing account: this means you often end up creating a NEW account, further screwing yourself over.<p>Anyone have any good hacks to solve this? I've started resorting to storing a blank 1Password entry even for sites I SSO with, simply stating the SSO account and email I used.
Stop using SSO, and use email aliases for each site. Eg: myname+context _at gmail. (Gmail ignores everything right of the + but it will be treated as the myname mailbox). This keeps emails unique and helps detect when sites leak your email address (and pwd hashes).<p>Generate complex passwords in a password manager like 1password. Store usernames and passwords with the site to allow auto filling or search and copy/paste.
We see that with our SaaS users. They use Google-auth, next day try to use the 'forgot password' feature. Or end up with two accounts because they have several aliases. On the one hand a best security practice is never to give a hint that an email is registered ("if an account is registered, we will send you an email") but for this scenario we made an exception and give a hint.
1Password seems to have plans to provide a solution to this problem: <a href="https://www.future.1password.com/" rel="nofollow">https://www.future.1password.com/</a><p>> 1Password will remember how you log in to each account so you can get where you're going with a single click
I try not to use SSO accounts as much as possible, especially Facebook, since I have no idea what those accounts are sharing with the vendor. But I do find my self wishing for solution to remember which provide I used when I originally signed up if I did sign up with SSO.
I always sign up directly and store the information in 1password. With a custom domain I always use <website>@myDomain.com.<p>What if your twitter/fb/google account gets suspended for whatever reason? All of a sudden you can’t login to a plethora of sites.
Yes. I try to opt for non-SSO login whenever possible, or alternatively manually make a dummy 1Password entry with a username like “GitHub login”. I would like if 1Password could track OAuth redirects automatically but I’m not sure if it’s possible.
There is no reason to use any of these SSO integrations if you have a password manager.<p>Sign up via e-mail, save your password, and you're done.<p>Now you know exactly what you used to sign up with and you can stop giving data mining companies ways to track you.
There are a lot of recommendations here to stop using SSO. Unfortunately, there are enough number of sites that accept only SSO to make it impractical. One could go the route of I-refuse-to-use-any-site-that-does-not-provide-email-auth . This is something I have personally tried and find annoying to see sites that have only SSO (sometimes, only one provider that I do not even use). OTOH, if it something I really need or find interesting I fold and use SSO :(