Phishing perpetrators use single sign-on to ensnare victims.
Some thieves try to crack into the owner’s domain registrar account. Often, they try to get into the domain owner’s email account as the first step. By hacking into the email, they can not only reset registrar passwords but they can also make sure the victim doesn’t see the account change and transfer notices associated with the theft.
Which is why a type of phishing campaign that targets single sign-on is so scary.
Sucuri (which is owned by GoDaddy) explains how phishers are pretending to be popular sites but, instead of targeting credentials from the sites they pretend to be, they are trying to capture email credentials by showing single sign-on options.
Single sign-on is a popular way to sign into many services. Instead of remembering a username and password, you can just log in to a social media account or your Google account to validate your identity with the site.
This could be a devastatingly effective approach to steal domains: send someone to a fake registrar page and get them to enter their Google or Microsoft account credentials.
Currently, few domain name registrars offer single sign-on. GoDaddy does, but it limits it to Facebook and Amazon (see picture).
But the phishers don’t need a registrar to offer single sign-on in order for this campaign to work. As the Sucuri post notes, they can pretend to be a registrar and say that they now support single sign-on.
My advice is to not use single sign-on. Instead, create unique passwords and use local password software to sign into websites.