I’ve been enjoying your podcast for quite a while. But I recall you mention SSO is the future. Until then password managers are the second best thing. But why? For user’s perspective I feel password managers are the safest and easiest to use (I don’t like being redirected). I see benefits in SSO for administrators, but not for end users.

The answer to this isn't simple and I think we've discussed it long ago. I'm too lazy to try to find it, so I'll do my best

Password mangers are great, if you can get people to use them. The fundamental problem with a password manager is for normal people, the experience is very bad. It's complicated, and clunky, and if they forget their master password it's all over

SSO as we use it today is also terrible. If you get locked out of your gmail account, it's pretty much over

We need SSO that looks a bit more like current enterprise SSO. Account recovery being the important goal

Of course we also need a way to multi-factor that SSO because if an attacker gains access you have huge problems, but that's a huge problem in itself

I think the single biggest advantage SSO gives us outside of the hilarious ease at which we can login, is the security of a proper SSO system

A properly run SSO can watch for broad attacks and stop them for everyone. You get to see a lot of behavior data. You know if they login from California, then try to login from Russia 12 minutes later, something is wrong

But none of this is real or possible today. Having a few well run central SSO authorities won't be cheap. It would be a huge money sink I imagine. A bit like the post office

But we can dream 😀

In the meantime, we can keep using password managers

The other aspect is the inability to easily transition between SSO providers, e.g. if I use Google as my SSO... changing that is a right nightmare. At least with email you can get your own domain and easily shop around for providers, but not so much with SSO. Also changing account names (people do change their names...) can be a totally messed up experience with a lot of SSO systems.

Reminder: any auth system needs to support changing your account name easily, and changing your provider easily. Otherwise, a lot of people will worry (rightfully so) about vendor lock-in and #enshitification.