Online Accounts 2025: Single Sign-In (SSO) (Premium)

As part of an ongoing effort to reduce my reliance on Big Tech services that could disappear at any time, I’m removing single sign-on (SSO) connections between my Google accounts and third-party services. This is one of several high-level goals I made for myself this year and described in Online Accounts 2025 (Premium) in early February.

Since then, most of my initial work revolved around the YouTube drama I documented in great detail in From the Editor’s Desk: Online Accounts, a Cautionary Tale (Premium). More specifically, the fact that I had never formally backed up that data. Here’s a quick update on that work.

The initial backup of my Thurrott.com YouTube channel took longer than expected, in part because of the storage requirements, and in part because I made some mistakes early on. But I finally figured that out, and got started on the actual backup, which I calculated would take up about 3.4 TB of storage. I did conclude that download over the subsequent weekend in mid-February, and so that ended quietly. My storage prediction was a little high, but that’s fine. The 4 TB external HDD I bought can handle it for now, and when I finally get a NAS, I can move to a more formal backup process (for all my important data).

Meanwhile, there’s more to do.

? The problem with SSO

Big Tech online accounts, especially those offered by Google–meaning consumer “Gmail” accounts and commercial Workspace accounts–offer users a convenience nicety in the form of Sign in with Google. This service lets you sign in to a third-party (meaning, in this case, a non-Google) online account using your Google account. Doing so is seamless and easy, and it passes through whatever security and authentication methods you’ve established with that account.

In my case, I have passkeys associated with my primary Google accounts (one Workspace, one consumer/Gmail) stored in Proton Pass, the password manager (really, identity manager) that I use and strongly recommend. You can learn more about this in Password Management Basics (Premium), but passkeys are the most secure way to authenticate yourself online and they can also be the most convenient, depending on the implementation. In Google’s case, I see one of two interfaces when I have to authenticate with a Google account passkey stored in Proton Pass on my PCs. It either pops up right in the browser, which is preferable (it is immediate and seamless), or I have to scan a QR code with my phone, which takes a few seconds.

Google’s implementation of passkeys is one of the best out there, so what’s my problem? It’s secure, it’s seamless, and it just works. Why would I work to remove these connections?

My YouTube drama was an unwanted reminder that Big Tech could, at any time, prevent you from accessing your own data and, worse, lock you entirely out of a crucial online account. I’m doing other work to ensure that my most important data is replicated in multiple places to help mitigate some of that danger. But the Sign in with Google feature is a potential problem, too, and one that I suspect most people don’t think about. If you lose your Google account–my misadventure or some mistake on Google’s part–what happens to those connections? How can you sign in with Google if your Google account is compromised or taken away? Will you lose access to those third-party services too?

To find out, I experimented with some of the accounts I use with Sign in with Google, and I documented my early experiences with that in the post In Sign in with Google? (Premium). I can’t be sure of this, as sign-ins and authentication will vary by account. But I did try to manually sign in to my most important online accounts manually, bypassing Sign in with Google, and was able to get into each account, even for those for which I don’t believe I’d ever done so before. (That is, for many of these third-party accounts, I’ve only used Sign in with Google.) But after reviewing the feedback and scanning through the lists of connected accounts I have (in both primary Google accounts), I decided to make the change. I would remove almost all of the connected accounts in each.

? Manage the accounts connected to your Google account

You can see the list of third-party apps and services that are associated with your Google account on the Google Account website. When I started this process, I had 79 third-party accounts associated with my primary online identity, the Google Workspace account paul at thurrott.com. And another 15 associated with my consumer Gmail account, thurrott at gmail.com. This makes sense on some level: I naturally use the account that’s my name most often, it feels obvious. But Workspace also has weird limitations and differences when compared to a “normal” Gmail account that can be problematic but also are beyond the scope of this topic. So I’ll stay focused on that here.

Removing a connection between a third-party online account and a Google account is simple and obvious, once you find the Google Account website page linked to above.

Just select the account you wish to disconnect from the list, click “Delete all connections you have with [app/service/account name],” and confirm the decision.

OK, it’s a little tedious, too, if you have a lot of accounts. There’s no way to bulk-disconnect third-party online accounts, you have to do this one at a time.

But that may be for the best. In keeping with the lack of certainty noted above, it’s probably a good idea to make sure you can get into any of these accounts otherwise before disconnecting them from Google. This is especially important for accounts you use and rely on. As the canary in the coal mine here, I’ve manually signed in to each before removing the Google connection.

And that introduces another issue to consider.

? The problem with multiple online accounts

Security is a perfect storm of difficult and inconvenient, which is why so many people don’t lock their smartphones and otherwise live dangerously. I’ve tried to convince others to accept a bit of inconvenience to achieve a reasonable level of security, but this has proven elusive. We’re all pretty lazy when it comes down to it. And this is why passkeys are so important: They offer the best-possible security combined with convenience and, now, thanks to modern password managers and a new standardization effort at FIDO, they’re portable too.

But the problems with passkeys are real, unfortunately. As noted, implementations differ, and some are better–more seamless or convenient–than others. Many online accounts don’t support passkeys. And there’s no formal way to learn when any online account is updated to support passkeys (or some other improved form of authentication). Our online accounts are in a regular state of flux when it comes to security and authentication. We’re just trying to live our lives here. If you could get paid for doing it, managing online accounts would be a full-time job.

This is why SSO solutions like Google are so compelling. You don’t need to think about or stay up to date on multiple online accounts and whatever security and authentication choices they offer. You just use a single online account, typically a Google account, and its mostly consistent sign-in and authentication experiences. The allure is obvious. And this is clearly more secure and convenient than not doing so.

Unless you lose that account. Which, granted, is likely a small risk. But tell that to someone who has been locked out of an important online account. And using Sign in with Google doesn’t actually make those connected third-party online accounts any more secure. They’re still at the mercy of whatever security and authentication choices they offer. They could still be compromised by hackers. There’s no simple answer here.

The choice I’ve made is to remove (almost) all the online accounts that are connected with my Google accounts. But even if you’re OK keeping those connections, it’s your responsibility to make sure that your other online accounts (what Google calls third-party online accounts) are as secure as possible. And “as secure as possible” means authenticating via a hardware security key (which no one mainstream will ever do), a passkey, or an authenticator app like Google Authenticator or Microsoft Authenticator, in that order. That is, if the account offers it, you should set up one (or more) of those forms of account authentication.

There are more issues.

Most obviously, some accounts don’t even offer these as choices. They will fall back on an email verification, which is mostly OK, assuming that account is properly secured and accessed regularly, or a text message (SMS) authentication, which security experts will tell you is completely insecure and easily spoofed. (Coincidentally, there was a news story today that Google may be removing SMS authentication from its Google accounts.)

Less obviously, accounts change. An online account that previously only offered text message verification might one day be updated to support an authenticator app (good) or a passkey (great). You may or may not get an email or alert about that change, with the likelihood of you finding out depending on an email service’s spam filter or perhaps the frequency with which you use the account. Here, your best bet is a password manager that proactively alerts you when any of the accounts it’s storing has updated its security and authentication methods. For example, the Pass Monitor feature in Proton Pass tells me which of the online accounts I use can be made more secure with some form of 2FA (two-factor authentication), meaning an authenticator app or passkey.

I know. Sometimes it feels too daunting. But a review of these accounts, improving each with some form of 2FA as you go, will be time-consuming the first time. But it will get easier over time. And if you review these account from time-to-time, you will have fewer improvements to make in the future. The alternative–a compromised online account, and the resulting damage–is much worse.

Anyway. I rifled through the connections in my Gmail account pretty quickly, but I’m not done doing this work with my Workspace account. I review the security and authentication options at each service to ensure I have the best possible options configured for each. (For me, that’s passkeys, authenticator app, and email-based, in that order, with multiple options for each when possible.) And then I keep going. I do this in batches, often skipping days at a time because I’m busy with whatever else. I hope to finish this work soon.

That said, it’s never really done, right?

? It’s not just Google

Sign in with Google is, in my experience, by far the most common SSO option found online. But Amazon, Apple, Facebook, and Microsoft also offer this functionality. And though they’re much less common, if you’ve succumbed to the temptation, you should review those accounts as well.

They are, with some quick notes about my own exposure with each.

Login with Amazon. I had 10 “active apps and websites” linked to my Amazon account, one of which was 10 years old (!). Some were Amazon-related (Goodreads, Woot!) Some were Sonos-related services connections. Some were tied to Amazon Prime Video and whatever platforms. Movies Anywhere was in there. But in the end, I only removed one, for a service called Oxygen Cloud/odrive that was unfamiliar to me. (Note that there is no confirmation step here, when you click “Remove,” that service is instantly removed.)

• Learn more

• Manage Login with Amazon

Sign in with Apple. I have 5 apps and websites associated with this, but they’re all entertainment-related, apps or games I might access on an Apple TV or other device. So I left this alone.

• Learn more
• Manage Sign in with Apple > Sign in with Apple

Facebook Login. Maybe this is my bias showing, but I can’t think of a dumber online service to use than Facebook Login. I use Facebook and related services like Instagram and WhatsApp almost because I have to. But I would never use my Facebook account to sign in anywhere else. It’s convoluted enough for the company’s first-party apps. And then I looked. I had 36 (!) accounts associated with my Facebook account. Granted, many were Facebook sign-ins to Microsoft services like Xbox or Skype. But most were also out-of-date/obsolete services that no longer exist, too. I could have killed all of them, dead, one by one. But I instead just disabled the ability to even use this feature with my account, which may be the one thing I’ve liked about Facebook in the past decade. So I did it all in just one step.

• Manage Facebook Login

Login with Microsoft. I wrote about how to properly secure your Microsoft account a bit over a year ago and added a chapter about this topic to the Windows 11 Field Guide. And though we offers user of this website the option of signing in with a Microsoft account, it’s pretty rare to see this online anywhere for whatever reasons. I use my MSA pretty extensively with Microsoft apps and services, of course, and that muddles things nicely: Most of the services connected to this account are legit. But I found several older connections for services I don’t recognize (MultCloud, Extensions for OneDrive, etc.) and a few that I know are obsolete (HK Invoke, the one-off Cortana smart speaker), so I killed them. (Slowly. The Microsoft account website isn’t great in this area.)

• Manage app access to your Microsoft account

More soon.