Many people today use single sign-on (SSO) when logging in to a web service. Users then have the option of using an existing login to gain access to another digital service. New services can then be accessed without having to create a new login or password. Ultimately, this makes it easier to access a new product or service. The offer is readily accepted by users because of its practicality.
The best-known examples of SSO services are probably facebook, linkedin or Google accounts. Tech giants enable users to log in quickly, so to speak. Thanks to this measure, they save us the registration process. It’s convenient and saves time.
Single Sign-On Disadvantages
Of course, this is also associated with disadvantages. First of all, all logins are then run via tech giants. Data protection experts regularly point out the associated danger due to the accumulation of metadata.
“Log in with xy” increases the risk of exposing one’s full online activity by hacking a single password. By accessing the credentials to an SSO service, in the worst case cybercriminals even gain knowledge of all the web services we use. According to CRIF, identity theft attacks increased by over 26% during the pandemic.
There are already ways to prevent password theft. For example, digital services often require the use of two-factor authentication. In this model, the shared secret of a username and password (“something you know”) is linked to the account with access to a device such as a token or SIM phone number. This second layer of security makes your password meaningless to hackers unless they also have your phone. However, this is again more costly and has a measured impact on the user experience.
So the problem lies in the central data store that manages online access. An alternative approach to solving this problem would therefore be decentralized data storage.
Verified personal data in the company
Even companies that use SSO services have a big problem. In principle, they do not know exactly who their customers are, because the personal data of the accounts is usually not verified or is very weak. The SSO services are therefore not based on a secure digital identity. The headlines about fake accounts, even at large companies, are increasing regularly.
One possible way for the company would now be to set up its own SSO service on its own platform. However, nothing is gained by doing this, because the result is just another data silo which is populated with data in the old conventional way and has to be maintained and protected under the GDPR requirements. For the user, there is also no essential advantage with this variant, because for him it is just another data silo with SSO access that he cannot really manage.
SSI and SSO are not the same
SSO and SSI look similar and sound related. However, they are fundamentally different systems. SSI stands for Self-Sovereign Identity. In the case of SSI, a verified digital identity is one of the top priorities. Much more important, however, is the basic structure of data storage, which is decentralized. SSO, on the other hand, is the centrally controlled identity, with mostly weak verification of the data.
With SSI, users store their data in a private wallet on their smartphone. This wallet is only accessible to them. The documents stored there have previously been verified by independent third parties such as banks or institutions. For this purpose, certificates that do not allow any conclusions to be drawn about the owner are issued and stored in a blockchain. Users merely share the deposited certificates during a business transaction. They thus retain full control over their personal data. Companies receive legitimized certificates. In our example, this could be a certificate about a minimum age, for example. The transfer of the certificate is data-saving and efficient. Eliminating the need to transfer extensive data also reduces data management overhead. This in turn reduces data protection risks.
Thanks to the decentralized storage of certificates, SSI also enables convenient login with SSO. If you want to create an account with a new service, such as a mobility service provider, you no longer have to initiate a new verification process. Instead, certificates already stored in the wallet can be used.
SSO is great, but please only with SSI
If the goal is to simplify the registration process online, data security should not fall by the wayside. The new paradigm of self-sovereign identity clearly offers companies as well as users a multitude of benefits, and also provides the advantage of reducing the friction losses in customer acquisition online.
The myEGO Wallet brings the benefits of SSI technology directly to users. With the Wallet from myEGO we implement many advantages with a single connection: Online and offline usable, different certificate issuers can be connected easily, and login without data translation becomes hassle-free.