Is single sign-on (SSO) the end of cookies?

As Web users, we are confronted with the same situations over and over again.  Before buying anything online, we are asked to log in first. Whenever we want to read our emails, we have to enter our user id and password and so on and so forth. Clearly we spend a significant amount of time entering our credentials and recovering lost passwords. And this happens even to the most organized of us.  Recently, I asked myself how many accounts I had to keep track of: my cloud subscriptions, emails, and all the numerous accounts I’ve set up for online buying purposes. Guess what? I counted no less than 174 accounts saved in Safari. That scared me even if some tools are available out there to help us and even manage this for us. Could it be simpler to be able to handle everything with a single ID? The solution? The Single sign-on (SSO). This represents a great option to avoid overwhelming users’ memory with a few hundred user IDs and associated passwords.

What is single sign-on (SSO)?

An SSO provides users with a unique login and password to access all their online accounts instead of relying on a different user IDs for each service.

Let me illustrate this with the examples of Facebook and Google. As you’ve probably experienced, logging in with your Gmail account enables you to enjoy the large set of services that Google offers. This can be seen as the Google sign on. Similarly, your Facebook account can be used to connect to many services or to create an account on a new application, website, etc. Basically, you just need to click on the ‘Log in with Facebook’ button and authorize the application to use your Facebook account. This is the Facebook sign-on.

The single sign-on is an amazing authentication technology. Simply put, it gives you the ability to get connected to a wide-range of applications and web services without having to create an account for each one individually.

How does the single sign-on works?

Obviously, single sign-on is achieved through a close partnership where good faith and trust are key. Indeed, application developers, service providers and identity providers (IDP) work closely together. The application developer is no longer responsible for the authentication of internet users, the IDP is.

Then, when a user wants to connect to an application, a website or another service using the SSO system, the application asks the identity provider to check whether the user is already logged in. If not, the user is asked to fill in the information required for the connection.

What are the benefits of SSO?

For the users:

• An account is a single pair (a user ID, password) available for a wide-range of  websites, applications and services: this enables users to get connected everywhere, much faster and without overwhelming them with tons of different IDs.
• In addition to enjoying a quick and easy way to connect everywhere, the user no longer needs to fill in all her personal information at each account creation (phone, address, etc.) as everything is already registered in the SSO system and the SSO system is able to provide the data to sites and applications that need it.
• An optimized and up-to-date security: as I said previously, by using an SSO system which application developers are no longer in charge of security and privacy. This is great news since they are not always experts in the field.  The SSO enforces the security of the data processed through the system.

For service providers and application developers:

• A security expert is no longer needed in your team: instead the identity provider in in charge of securing user-related data.

For application developers, service providers, and users:

• A multi-device connection: at the era of mobile first, users no longer use a single device for their search and daily navigation. SSO has the advantage of supporting multi-device to allow users to quickly get connected from any device. Actually, service providers also have a lot to gain in the process as single sign-on allows them to collect data on user behavior throughout the user’s journey on a web site or application. Clearly, this leaves the door wide open to personalizing their experience, among many other opportunities.

Are there any drawbacks to SSO?

For internet users:

• It might become difficult to hide information: SSO might complicate the life of Internet users who wish to ‘lie’ about their email address or any other thing required when signing in  on a new website. This could hinder their ability to limit the marketing pressure that some brands are abusing.
• A single connection to a service makes you sign in to all the services of the brand. For example, if you sign in to your Gmail account, you are not only logged in your Google Mail, but also to your Drive, YouTube, and all the other services Google offers, without having necessarily chosen to.
• The high security of the SSO system could be as much a threat as it is an advantage: if a hacker finds a security breach, she will be able to hack most accounts to which the user is registered, at once.

Why is SSO seen as an alternative to cookies?

• Privileged access to users: unlike cookies, SSO allows to know a lot about a user and her habits. In a way, SSO will be able to follow the user as soon as she gets connected to a service while cookies are only able to track down some information about users but not their identity. A cookie is not linked to a person but instead identifies a device/browser pair. Who is behind the screen remains unknown. In addition, when a cookie is created, it is virgin of all information about the associated user whereas the SSO will immediately feed any applications with some user data.
• The multi-device capability (unlike cookies): the main drawback of cookies since their introduction has been their inability to recognize a user over multiple devices. Alice’s cookie on her mobile phone is different from the one on her laptop. Clearly the SSO represents an opportunity to achieve recognition of users even if connected through multiple devices.
• Less volatile than the cookie: in addition to being poorly suited for multi-device use, the tracking cookie may be deleted by the user and a new cookie will be created when the user connects back, losing the user’s history along the way.
• Resilience to the browsers’ strategy: several browsers are in the process of disabling cookies, such as Safari for instance, in order to protect users from aggressive retargeting that could potentially hurting the user’s experience and privacy. While this is a noble cause, this is sometimes a shame as it also hurts all (good) services providing personalization for an enhanced user experience.
• The data is reliable, qualified and persistent over time.

Cookies have been widely used to collect information from our browsers since the creation of the web: The first browser compatible with cookies was Netscape in 1994, the pioneer of browsers.

Cookies are still critical both for users and applications. First of all because users might not yet be ready yet to log in to all websites and services they use, and give away their personal identity and data. In addition, cookies, while being less intrusive than SSO, are a means to achieve personalization in many services. Improving the user’s experience is of crucial importance in an industry like online press were the monetization of audiences is key to the survival of a media site.

SSO represents a great opportunity to significantly improve the user’s experience through personalization. Yet, this depends on users being convinced by the technology and adopting it in order for it to be fully leveraged. Meanwhile cookies still do the job.

For now, cookies and single sign-on systems can be seen today as complementary and a great means to implement customization to satisfy their audiences and improve their marketing KPIs. Should users fully adopt SSO in the future, this might indeed be the end of cookies.