Single sign-on

True single sign-on allows the user to log in once and access services without re-entering authentication factors.

[1][2] A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.

An increasing number of federated social logons, like Facebook Connect, do require the user to enter consent choices upon first registration with a new resource, and so are not always single sign-on in the strictest sense.

[6] As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle"), it increases the negative impact in case the credentials are available to other people and misused.

Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart cards and one-time password tokens.

Because the researchers informed ID providers and relying party websites prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported.

[12] It was first reported "Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID" by its discoverer Wang Jing, a Mathematical PhD student from Nanyang Technological University, Singapore.

This worked well enough within a single enterprise, like MIT where Kerberos was invented, or major corporations where all of the resources were internal sites.

As of 2019, Google and Facebook sign-in do not require users to share email addresses with the credential consumer.

Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so the user is not prompted to re-authenticate.

A mobile device is "something you have", as opposed to a password which is "something you know", or biometrics (fingerprint, retinal scan, facial recognition, etc.)

Example of a single sign-on implementation, Wikimedia Developer (based on Central Authentication Service )