Single Sign-On is a win for both SaaS providers and their customers. The customer has quicker control over who can access the solution, can institute greater controls like requiring the use of company hardware, and avoids password recycling. The provider gets the benefit of offloading credential protection to the customer – making their solution just that much more secure.
Paywalling SSO is one of the most cynical practices in modern SaaS offerings. Vendors holding basic security hostage behind enterprise pricing tiers that cost sometimes as high as 7,800% more than base plans. This isn’t just bad business; it’s a fundamental breach of trust that undermines the security of the entire internet. While some forward-thinking companies recognize SSO as essential infrastructure, too many continue treating it as a luxury feature, forcing organizations to choose between security and solvency.
The evidence is damning: 80% of data breaches involve compromised credentials, employees waste 10.9 hours annually managing passwords, and IT departments spend 30-50% of their time on password resets. Yet despite these well-documented risks and costs, major vendors continue charging thousands of dollars extra for the very feature that would solve these problems. This practice has become so egregious that it now has its own name—the SSO tax—and its own Wall of Shame documenting the worst offenders.
The credential catastrophe we’re enabling
“The biggest security risk to individuals is the reuse of passwords…
When organizations can’t afford SSO, they’re forced into dangerous compromises that create cascading vulnerabilities across their entire security posture. Academic research from USENIX Security Symposium 2023 found that 32% of accounts matched to university email addresses in data breaches were successfully compromised through credential-guessing attacks. SpyCloud observed a staggering 70% password reuse rate among users exposed in breaches, while Cloudflare reports that 52% of all authentication requests contain passwords already leaked in previous breaches.
These aren’t abstract statistics—they represent real security failures with devastating consequences. Tesla’s 2023 internal data leak, where two former employees accessed and shared 23,000+ internal documents containing employee and customer data, could have been prevented with proper SSO-based access revocation. The Cash App Investing breach of 2022 occurred because a terminated employee retained system access—a problem that centralized identity management would have immediately solved.
Facebook’s former CSO Alex Stamos doesn’t mince words about the severity: “The biggest security risk to individuals is the reuse of passwords… Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords.” Yet vendors continue to price the solution out of reach for the organizations that need it most.
Research shows nearly 90% of former employees maintain access to sensitive corporate systems after departure, with 48% of organizations acknowledging this massive security gap. The Pagosa Springs Medical Center learned this lesson expensively, facing a $111,400 HIPAA fine when a former employee retained remote access to systems containing protected health information for 557 patients—all because they lacked centralized access management.
Compliance becomes impossible without centralized access
For regulated industries, SSO paywalling creates an impossible situation. HIPAA explicitly requires “procedures for terminating access to electronic protected health information when employment ends”—something that’s functionally impossible across dozens of disparately managed SaaS applications. GDPR’s 72-hour breach notification requirement becomes a joke when you can’t even inventory which systems were potentially compromised. SOC 2’s trust services criteria demand comprehensive access controls that fragmented authentication makes unachievable.
The operational burden is equally crushing. Forrester Research found each password reset costs approximately $70, with large enterprises spending over $5.2 million annually on password-related issues. Vivint Solar cut password reset requests by 95% and saved over $500,000 simply by implementing SSO—yet vendors want to charge them multiples of that savings just to access the feature.
The Hall of Shame’s most egregious examples
The SSO Wall of Shame (sso.tax) has meticulously documented over 100 vendors treating security as a profit center, but some examples stand out for their sheer audacity:
HubSpot takes the crown with a mind-boggling 7,828% price increase from $46 to $3,647 per month just to add SSO. This isn’t a typo—they literally charge nearly 80 times more for the “privilege” of basic security. After sustained community backlash and earning the “#1 spot on the SSO Wall of Shame,” they partially relented in 2024, but the damage to their reputation remains.
GitHub demands a 425% increase ($4 to $21 per user/month) to access SAML SSO, despite being owned by Microsoft—a company that provides SSO free through Azure AD for many other services. Docker wants 167% more ($9 to $24), Figma requires 275% more ($12 to $45), and Notion charges 50% more just for basic security features that cost them virtually nothing to provide.
Perhaps most insulting are the companies with minimum user requirements: OpenAI requires a 150-user minimum for ChatGPT Enterprise with SSO, while Coursera demands 125 users. These arbitrary thresholds explicitly exclude smaller organizations from security features, creating a two-tier system where only large enterprises can afford protection.
The enterprise pricing scam exposed
Here’s what makes this practice particularly galling: vendors themselves admit SSO costs them almost nothing. Ben Orenstein, CEO of Tuple, laid bare the industry’s dirty secret in a remarkably honest blog post: “If you’re a new SaaS founder and you want to maximize your revenue, I recommend you create an enterprise tier, put SSO in it, and charge 2-5x your normal pricing… SSO costs close to nothing after a little automation, so this price increase is all profit.”
This admission confirms what security professionals have long suspected—the SSO tax is pure profit extraction with no basis in actual costs. Richard Hartmann from Grafana argues this creates a “tragedy of the commons” where individual vendor greed undermines internet-wide security. Ed Contreras, CISO at Frost Bank, called it simply “an atrocity.”
The heroes offering SSO without ransom
While many vendors continue their exploitative practices, a growing cohort of companies recognizes that security should be a right, not a privilege. Tailscale made headlines in 2024 by completely reversing their SSO paywall, admitting “the SSO tax felt like a mistake” and declaring “security isn’t a luxury.” This wasn’t just PR—they made all OIDC-compliant SSO providers free across every plan.
WorkOS offers SSO free for up to 1 million monthly active users, explicitly positioning themselves against Auth0’s “customer-hostile and opaque pricing.” One customer testimonial captures the relief: “Cursor now completely runs on WorkOS… we’re not subject to Auth0’s customer-hostile and opaque pricing anymore.” Frontegg provides free SSO for up to 10 tenants, while Microsoft and Google include basic SSO in their productivity suites, recognizing it as fundamental infrastructure.
The open-source community deserves particular praise. Keycloak, backed by Red Hat, provides enterprise-grade SSO capabilities completely free, with organizations only paying for infrastructure. Snyk doesn’t even offer local authentication. You must use some form of federated authentication, like SSO. FusionAuth, Supertokens, and Authentik offer robust alternatives that put commercial vendors to shame. These projects prove that SSO is a solved problem—the only barrier is vendor greed.
Competitive advantages of doing the right thing
“Essential security features should be available as part of the basic service offering.”
Companies offering free SSO aren’t just doing the right thing—they’re winning in the market. Tuple’s Ben Orenstein reported that removing SSO charges forced genuine innovation: “Already, this decision has had a pleasant side-effect—it’s forced us to offer better benefits to entice customers into our enterprise tier: service level agreements, active user pricing, custom terms of service, tiered discounts, and better auditing and control.”
The business case is compelling. Kyle Poyar from OpenView notes that customers with SSO “tend to be stickier with better retention rates.” Organizations report faster enterprise sales cycles when SSO isn’t a negotiation point, reduced support burden from password issues, and improved customer trust. One startup founder noted: “People will get a little mad at you, but not much, because just about everyone does this”—but this dynamic is rapidly changing as customers vote with their wallets.
Growing pressure for change
The backlash against SSO paywalling has reached a tipping point. Beyond the SSO Wall of Shame, we’re seeing regulatory attention, investor pressure, and customer revolt. CISA’s “Secure by Design” whitepaper explicitly states: “Essential security features should be available as part of the basic service offering. Consumers should not need to pay premium pricing, hidden surcharges, or additional fees for basic security hygiene.”
A Grip Security survey of over 100 CISOs found that 80% of SaaS applications employees use remain outside corporate SSO portals, with “SSO licensing cost” as the primary reason. This isn’t just a minor inconvenience—it’s a systematic failure that leaves entire industries vulnerable. The comparison to automotive safety is apt: we don’t allow car manufacturers to charge extra for seatbelts or airbags because we recognize these as essential safety features. It’s time we applied the same logic to digital security.
The path forward is clear
The solution isn’t complicated. SSO is a solved technical problem with minimal ongoing costs. Vendors who continue paywalling it are making a conscious choice to prioritize profit over customer security. As Alexandre Sieira, CTO of Tenchi Security, demonstrates: “Having made the decision to use a leading CIAM solution instead of rolling our own authentication infrastructure, it was simple and inexpensive to extend SSO to all of our customers.”
Organizations must start treating SSO availability as a key vendor selection criterion. Reference the SSO Wall of Shame in procurement discussions. Negotiate aggressively for SSO inclusion. Most importantly, vote with your budgets—choose vendors who treat security as essential infrastructure, not a profit center.
Conclusion
The SSO tax represents everything wrong with modern SaaS pricing—artificial scarcity, profit extraction, and complete disregard for customer security. While vendors like HubSpot charge 7,800% premiums and GitHub demands 425% more for basic security, forward-thinking companies like Tailscale, WorkOS, and the open-source community prove that accessible SSO is both possible and profitable.
The evidence is overwhelming: SSO paywalling creates massive security vulnerabilities, drives shadow IT proliferation, makes compliance impossible, and costs organizations millions in operational overhead. With 80% of breaches involving compromised credentials and 90% of former employees retaining system access, the SSO tax isn’t just bad business—it’s a fundamental threat to digital security.
The tide is turning. Customer backlash, regulatory attention, and competitive pressure are forcing change. Companies that continue treating security as a luxury will find themselves on the wrong side of history—and increasingly, on the wrong side of their customers’ purchasing decisions. Security isn’t a premium feature; it’s a fundamental right. It’s time the industry started acting like it.
