Ask HN: Anyone else constantly forget which SSO service they signed up with?

22 points by lordofmoria ↗ HN
Curious if anyone else finds it increasingly difficult to play "SSO roulette" when logging into the long tail of infrequently-used services: did I use GitHub? Facebook? G Suite? Twitter? Or the secondary problem: "if I used Google SSO, which of my gmail accounts did I use?"

I definitely have my own heuristics (g suite for everything possible, github for "technical" sites, facebook as a throwaway, etc), but I've found myself increasingly "getting it wrong." Not to mention this is worsened by the fact that some sites automatically create a new account for you if you log in with a non-existing account: this means you often end up creating a NEW account, further screwing yourself over.

Anyone have any good hacks to solve this? I've started resorting to storing a blank 1Password entry even for sites I SSO with, simply stating the SSO account and email I used.

14 comments

[ 9.3 ms ] story [ 37.2 ms ] thread
I always sign up directly and store the information in 1password. With a custom domain I always use <website>@myDomain.com.

What if your twitter/fb/google account gets suspended for whatever reason? All of a sudden you can’t login to a plethora of sites.

Yes, but that's more of a general argument against all SSO - besides, does your concern hold even for things like Sign In with Google / Apple? I assume losing access to iCloud / Gmail (if you've opted into these ecosystems) is an existential threat anyway, and SSO is the least of your worries at that point, and the question still stands.
I try not to use SSO accounts as much as possible, especially Facebook, since I have no idea what those accounts are sharing with the vendor. But I do find my self wishing for solution to remember which provide I used when I originally signed up if I did sign up with SSO.
We see that with our SaaS users. They use Google-auth, next day try to use the 'forgot password' feature. Or end up with two accounts because they have several aliases. On the one hand a best security practice is never to give a hint that an email is registered ("if an account is registered, we will send you an email") but for this scenario we made an exception and give a hint.
Stop using SSO, and use email aliases for each site. Eg: myname+context _at gmail. (Gmail ignores everything right of the + but it will be treated as the myname mailbox). This keeps emails unique and helps detect when sites leak your email address (and pwd hashes).

Generate complex passwords in a password manager like 1password. Store usernames and passwords with the site to allow auto filling or search and copy/paste.

Nifty feature, if you register you domain on google domains, it includes free email forwarding including wildcards... so I use foo.com at mydomain for each site.

Also use Bitwarden and keep almost everything in there, with an 18 character passphrase for bitwarden itself.

Yes. I try to opt for non-SSO login whenever possible, or alternatively manually make a dummy 1Password entry with a username like “GitHub login”. I would like if 1Password could track OAuth redirects automatically but I’m not sure if it’s possible.
There is no reason to use any of these SSO integrations if you have a password manager.

Sign up via e-mail, save your password, and you're done.

Now you know exactly what you used to sign up with and you can stop giving data mining companies ways to track you.

1Password seems to have plans to provide a solution to this problem: https://www.future.1password.com/

> 1Password will remember how you log in to each account so you can get where you're going with a single click

wow, thanks for this link, I wasn't even expecting a 1Password solution, but the very first item on that is exactly what I was getting at.

Though this seems to be maybe aimed at enterprise, I hope they continue their tradition of releasing features on personal as well.

(comment deleted)
There are a lot of recommendations here to stop using SSO. Unfortunately, there are enough number of sites that accept only SSO to make it impractical. One could go the route of I-refuse-to-use-any-site-that-does-not-provide-email-auth . This is something I have personally tried and find annoying to see sites that have only SSO (sometimes, only one provider that I do not even use). OTOH, if it something I really need or find interesting I fold and use SSO :(
Has an only SSO signup site ever been worth breaking that rule? It's usually the result of a quickly thrown together site.
I think I have seen that once or twice, but that is about it. Which sites do you run into that do not have SSO?