Brands

Hot News

Should you stop logging in through Google and Facebook? Consider these SSO risks vs. benefits
Publish Time: 11 Dec, 2025
person using keyboard
Uladzimir Zuyeu/iStock/Getty Images Plus

Follow : Add us as a preferred source  on Google.

key takeaways

  • Many sites let you sign in with an existing login from consumer SSO providers.
  • This approach results in a potentially risky centralization of your credentials.
  • Passkeys allow you to compartmentalize credentials, but SSO has its advantages.

Here on , I've been writing a lot about passkeys -- the FIDO Alliance-backed passwordless replacement for traditional usernames and passwords. As far as I'm concerned, all organizations and users on the internet cannot make the move soon enough. However, I was reminded of how challenging and lengthy that transition will be (sadly, 10 years is my estimate) when I recently encountered warnings to change my password for ChatGPT. 

Also: How passkeys work: The complete guide to your inevitable passwordless future

That ill-informed recommendation turned up in my article feed when the operator of ChatGPT -- OpenAI -- announced the day before Thanksgiving that some of its customer data had been breached by threat actors. Between watching my turkey bake and preparing my side dishes, I rushed to my computer to change my OpenAI password. Not a moment to lose when you get scared like that, right?

There was only one major problem: While I have a login to OpenAI, I suddenly realized I didn't have an OpenAI password. 

Wait. What?! How is that possible? Now what do I do? And why do freaky technical emergencies like this always happen at the worst possible time? And what kind of hypocrite am I to be recommending passkeys to everyone while not using a passkey to log into ChatGPT? At that moment, I couldn't remember whether or not OpenAI was enabling users to authenticate to its generative AI services with a passkey. If it were, there'd be no need to change my password. After all, with passkey-based logins, breaches like these shouldn't matter at all. 

(Disclosure: Ziff Davis, 's parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.)

As it turns out, OpenAI is one of those service operators that allows you to register and log in with your existing Apple, Google, or Microsoft ID. I refer to these services as consumer single sign-on (SSO) services. (My phrase "consumer SSO" is intended to distinguish public SSO services from the single sign-on solutions many companies use to manage identity and access, such as Okta's Identity Cloud and Microsoft's Entra.)

Also: The best VPN services (and how to choose the right one for you)

With a single credential like your Google ID and password, you can log into hundreds of internet services, making consumer SSOs incredibly convenient. Instead of dozens of logins for different services, you rely on one. But now that passkeys are all the rage, are consumer SSOs really a good idea? Or is it time to eliminate them from your credential management strategy?

Moving to passkeys is a priority for everyone

I believe we should be moving to the passkey standard for all our logins (and that website and app operators should do more to encourage this transition). However, we're not there yet, and we won't be there anytime soon. There are a lot of cooks in the passkey kitchen, and their conflicting interests, opinions, and behaviors are an impediment to speedy adoption. 

One of the big ideas behind passkeys is how, with the help of your chosen passkey authenticator (many of which are built into the technologies we already use), you can create a separate non-transferrable, non-guessable, and especially non-phishable user credential for each site or application (collectively, "relying parties") that you use. 

Also: What is a passkey authenticator? Only the key to our passwordless tomorrow

In fact, unlike usernames and passwords, the passkey standard allows for the creation of multiple credentials per website or app. In that scenario, you could have one passkey for logging into Shopify from your desktop computer and another passkey for logging in from your smartphone. Although with syncable passkeys, where a single passkey can be synchronized to multiple devices, there are fewer reasons to take this approach. 

Passkeys aren't simply an alternate way to authenticate with your favorite relying parties. Passkeys are about all users raising their personal operational security (aka "secop") to a higher level, where the likelihood of their credentials being compromised is reduced to nil, making the internet a much safer operating environment. 

Unlike passwords, passkeys are virtually unstealable. The secret part of the passkey -- known as the private key -- always stays with the user and is never shared. Passkeys are not held by any relying parties (the way passwords are), and passkeys are most definitely not shared with threat actors during a phishing attempt. The exception would be when a threat actor steals the physical device on which your passkeys are stored, in which case, hopefully, your device protection best practices have you covered. 

As it turns out, the advice to change your ChatGPT password as a result of the OpenAI data breach was bad advice. Passwords were not among the fields of data that were compromised. However, I learned two other things about my ChatGPT login during this process.

Uncovering SSO challenges

First, when I originally decided to try ChatGPT, I elected to sign up using one of the consumer single sign-on (SSO) options available to me. A consumer SSO service like those offered by Google, Microsoft, and Apple (see the ChatGPT screenshot below) makes it very fast and easy for end users to log in to their favorite websites, as long as those sites make the option available, without needing to create a separate set of credentials for each of those sites. 

SSO means you sign in to a single identity management service; from there, you are automatically granted access to the sites that support that service. As Google is one of the SSOs supported by OpenAI, and I'm always logged in to my Google account, a dedicated username and password for ChatGPT were unnecessary. At least that was the case when I first started using ChatGPT. Now, when I visit ChatGPT, it simply checks to see if I'm already logged in to my Google account. Somewhat like passkeys, it conveniently never asks for a username or password.

Also: The best VPN services for iPhone and iPad (yes, you need to use one)

Second, I learned that once you elect to log in to OpenAI's services with one of the supported consumer SSO providers, that decision is -- unfortunately -- irreversible. You can't change your mind and go back to establishing a dedicated set of credentials. (The option is available to you when you first sign up, as shown in the redboxed area in the partial screenshot below.)

Partial screenshot of ChatGPT login options

OpenAI, the provider of the ChatGPT generative AI service, gives users the option to log in with their existing Google, Apple, or Microsoft logins. 

Screenshot by David Berlind/

Consumer SSOs have been around since the early 2000s, long before passkeys entered the scene, which raises an important question (one that's highlighted by the irreversibility of my choice to log in to ChatGPT with my Google SSO). 

Is it time for users to start rejecting consumer SSO options altogether? 

Recall that one of the big ideas behind passkeys is that you can create one or more of them for every relying party that you log in to. This principle is the antithesis of consumer SSOs, where, theoretically, you have a single credential to your favorite consumer SSO provider, and that lone credential logs you in to all of your other sites.

Also: How I easily set up passkeys through my password manager - and why you should too

In fairness, there's no reason you couldn't have a single passkey that logs you in to a consumer SSO, which in turn logs you in to all of your other relying parties. In fact, since I use a passkey to log in to my Google account, it's a roundabout way of securing my ChatGPT account with a passkey. 

All three consumer SSOs supported by ChatGPT -- Apple, Google, and Microsoft -- support passkey-based authentication. And they should. They're the three leading proponents of passkeys at the FIDO Alliance. But, honestly, a part of the passkey ethos is that you get to take personal control of your digital footprint. Why should any consumer SSO provider get to know so much about you?

I began to wonder about the degree to which you could be centralizing your risk of compromise to your online accounts through consumer SSO. For example, if a username and password-based login is available to my consumer SSO account (even if passkeys are simultaneously supported), what would happen if a threat actor gained access to my SSO username and password? 

What if a threat actor grabbed my Google username and password? Theoretically, if my Google account wasn't secured with multifactor authentication (MFA), that threat actor could also gain access to my ChatGPT account (and any other account secured via my Google SSO). This is not to suggest that Google's SSO service or any of the other competing offerings are insecure.  

A security paradox

In search of an answer to this paradox, I consulted with some cybersecurity professionals.

"You're right that 'Sign in with Google/Apple/etc.' centralizes risk," said Cory Michal, chief security officer at SaaS security solution provider AppOmni. "If that primary account is compromised, the blast radius is bigger because it may unlock multiple downstream services. That's a concern for more security-savvy users who already use a password manager and unique credentials to keep accounts compartmentalized." 

"That said," continued Michal, "for most people, the 'sign in with' option is a net security win. The realistic alternative for them isn't 'perfect password and MFA hygiene,' it's weak or reused passwords spread across lots of sites with uneven security. Centralizing authentication with a major provider like Google means you also centralize defenses, strong MFA, anomaly detection, and better account monitoring. So 'Sign in with Google + strong MFA like a Yubikey only on that account' is often one of the safer options we have today."

SquareX founder Vivek Ramachandran noted that "SSO has significantly improved user experience by allowing users to easily sign up to multiple web services." (SquareX discovers browser vulnerabilities and then provides management solutions to mitigate those risks.)

Also: The best password managers: Expert tested

"However, this creates a single point of failure should an attacker get access to the user's [SSO provider] credentials. This risk can be significantly remediated by enabling MFA to prevent attackers from logging in to their [SSO provider] with those stolen credentials. The secondary 'password' that MFA provides is non-trivial to steal as most of them are delivered out of band via mobile devices (SMS), authenticator apps, or hardware security keys."

Michal and Ramachandran concur that as long as the credentials to your SSO provider are extremely well-secured, relying on consumer SSO services as a means to centrally log in to your favorite sites and applications with those credentials can work. However, the cybersecurity establishment has soured on the idea of using MFA codes (also known as "timed one-time passwords" or TOTPs) that are transmitted via email or SMS. Neither channel is considered secure, and even with TOTPs that are generated by apps like Google Authenticator, users have mistakenly revealed their TOTPs to threat actors. 

I find that it's easier on my brain if I do things the same way for every relying party. For example, if I have site-specific credentials for one relying party, but SSO-based credentials for another, I will too easily lose track of which of my sites and apps depend on SSO and which do not. Based on what I've seen from most password managers, it is not a detail that is easily tracked or managed. 

For example, when, after a long time of not using ChatGPT, I attempted to log in with a username and password, my password manager sprang to life, but had nothing to offer in the way of usable credentials. Maybe it should have said "Enabled for Google SSO." At least then, I'd have some idea of what to try next. 

Also: I'm ditching passwords for passkeys for one reason - and it's not what you think

By sticking to the same practice of using dedicated credentials for every site, I'm confident that my password manager will behave predictably every time. I won't have to second-guess what to do to log in to certain sites, and I won't have to pick from multiple consumer SSO providers, since different ones are supported by other sites (some sites don't support any at all). As Michal intimated, this automatically contains any potential blast radius in the event of a compromise. I like to compartmentalize (as Michal put it). There are no downstream effects. 

But, as soon as I go off that playbook, I know I'll get myself into trouble. Which is why I wish OpenAI would give me the option to revert to a standard MFA-based credential (or even better, a passkey option) from the original SSO election that I initially chose. However, according to OpenAI, there are no plans to offer that capability.

OpenAI user data was breached, but changing your password won't help - here's why 5 essential Windows apps I always install on new PCs (and how they're uniquely powerful)
Tech
I’d like Alerts: