On the Passport page they write "Passport uses what are termed strategies to authenticate requests. Strategies range from"

Strategies must be configured before they can be used in Passport.

In the following we shall look at delegated authentication and federated authentication with the examples from the list above. Before we do that a word of apprehension. The local strategy we have seen already is a trust between the the user, and you as a developer standing in for the owner of the site you are working on.

The other strategies all involve a third party. This means that your user when logging in is not only sharing that info with you, the site. This information is also shared with somebody else, a third party. It becomes more than the trust between you and your user, it becomes a question of whether the user trusts whatever third party is involved.

In all fairness this means that you should probably not force the user into one of those other strategies. Give her/him the choice of selecting a regular login so that no third party has the knowledge of how often she/he logs into your website.

Single Sign On, SSO is a concept overlapping the authentication strategies discussed in this chapter. From on point of view SSO is user friendly and convenient. from the opposite point of view it is SPOF, single point of failure. It the user forgets his password, he forgets to all applications, and if the password is compromised, the attacker gets access to all the users applications. Think before you act.