← Back to context

Comment by ryukoposting

4 months ago

Isn't the simplest solution here to not support SSO at all?

I get there's a convenience factor, but even more convenient is the password manager built into every modern browser and smartphone. If the client decides to use bad passwords, that's will hurt them whether or not they're using SSO.

1 comment

ryukoposting

Reply
pas  4 months ago

SSO is fine, but verify the email address that the SSO provider has given (unless the provider is authoritative for the email domain)