Brand A has multiple, separate websites - these websites reference each other as part of the brand family, but do not have a shared single sign on system.
Instead, each website has their own login and account creation page - on which, there is the statement “you can use your account username and password to log into any of our brand family websites” with a link to a popup which shows those family websites logos.
So instead they seem to have a shared credentials database, accessible by any of the brands family if websites.
How is this considered secure? In what ways can Brand A ensure that the reuse of credentials does not open the user to a trust issue where the user is trained to a lower level of trust?
What I mean is single sign on systems have an element of “who can I trust with my credentials” and that is invariably the one url that the SSO site resides on - if the website sends you there, you know you’ve entered your credentials there before, its safe to do it again, plus your browser or password manager may fill the values there for you as the domain matches your historical use.
When you instead move from “trust this one website” to instead “enter your credentials anywhere that the asking website says you can”, isnt that setting up the user for easy phishing attempts? Browsers and password managers wont recognise the new website, but the user will have been trained for that brand that thats normal, so be more likely to enter their credentials into a hostile website?
