I'm not really sure I like SSO and I'm not convinced we should expand this technology. I'm not a security person but most of my concerns aren't actually security either.
My big concern is how we centralize accounts. Not just data access, but like how EVERYTHING is tied to your email. Lose access? You're fucked. Worse, it's very very hard to get support. I'm sure everyone here is well aware of the many horror stories.
Personally I had a bit of a scare when I switched from Android to iPhone. My first iPhone needed to be replaced within 2 weeks and I hadn't gotten everything covered over and not all my 2FAs had transferred to the new phone. Several had to be reset because adding a new 2FA OTP voided the old ones. And since for some reason bitwarden hasn't synched all my notes I had to completely fall back on a few. Which made me glad I didn't force 2FA on all accounts (this is a big fail!!!)
Or even this week, Bitwarden failed on me to provide security keys to sites. The popup would appear but the site had already processed the rejection. Took a few restarts before it was fixed.
The problem I'm seeing here is if we become so dependent on single accounts then this creates a bigger problem than the illness we're trying to solve. While 90% of the time things are better when things go wrong they go nuclear! That's worse!
Yeah, I know with SSO you don't have to use Google/Apple and you can be your own authority. But most people aren't going to do that. Hell, many sites don't even offer anything except Google and Apple! So really we're just setting up a ticking time bomb. It'll be fine for 99% of people 99% of the time, but for the other cases we're making things catastrophic. There's billions of people online so even 1% is a huge number.
Even worse, do we trust these companies will always be around? In your country? To give you proper notice? Do you think you'll even remember everything you need to change? These decisions can be made for you. Even Google accidentally deletes accounts.
So what I really want to see is a system that is more distributed. In the way that we have multiple secure entries. Most methods today are in the form of add 2FA of their choosing and suggest turning off fallback, which is more secure but can fuck you over if it fails. So if we go SSO then this shouldn't replace keys, like the article suggests. Keys are a backup. There should be more too! But then you need to make people occasionally use them to make sure they have that backup. And yes, I understand the more doors there are the bigger attack surface but literally I'm just arguing to not put all our eggs in one basket
A problem that people have pointed out in the past about cryptocurrency exchange arbitrage is counterparty risk: different prices on different exchanges may be taking into account the possibility that the exchange won't allow withdrawals, will delay the withdrawals, or doesn't have enough assets to satisfy all of its obligations. A large number of cryptocurrency exchanges have defaulted and/or restricted withdrawals in the past. So, an arbitrage strategy might appear very effective yet result in holding cryptocurrency or fiat currency on an exchange that won't allow it to be withdrawn or redeemed as expected.
This could happen because of fraud by the exchange, fraud against the exchange, hacking of the exchange, or regulatory risks where other financial intermediaries stop working with an exchange or regulators threaten to punish an exchange if it processes certain transactions.
Some people have suggested that because arbitrage opportunities are pursued aggressively, most price differences between cryptocurrencies and cryptocurrency exchanges that persist are probably mainly due to people taking account of counterparty risk. In that case you could still profit some of the time by betting that a risky exchange will remain solvent, but you might be taking a larger risk than you realize.
Another interpretation is that some apparent cryptocurrency arbitrage opportunities are really opportunities to earn a premium for helping people evade capital controls and other regulatory restrictions on moving money around. For example, there are lots of people in China who would be happy to pay you a premium if you'd accept a payment in China and make a corresponding payment in Canada. In that case you might feel like you're being a clever arbitrageur but you're largely receiving a payment for helping someone circumvent regulations¹.
(The implicit moral opprobrium that might be read there isn't intended, but I think it's interesting to consider how cryptocurrencies can sometimes make people feel very clever when they aren't, in fact, the cleverest ones in the situation!)
(¹ which isn't necessarily unreasonable to describe as arbitrage)
