> As a small fish you may like SSO, want SSO, you may even think you need SSO, but you really can get by without just fine.
SSO is the only way to get 2FA working without the friction becoming prohibitive.
If SSO is a paid feature, only in some plans, you're selling an insecure product. You wouldn't make security patches exclusive to the enterprise plan, you shouldn't make 2FA/SSO exclusive either.
Computer systems security isn't binary. It's also not a human right. Or something anyone but small minority cares about beyond the surface level.
Extra security is a feature of enterprise plans precisely because enterprises are forced to buy them by compliance requirements (a good chunk of which is just security theater and blame shifting); no one else cares, people buy stuff, things mostly do not go wrong - a market balance is achieved.
I can see why this isn't ideal or desirable, but security maximalism also has a nasty habit of killing all utility of products and disempowering end-users, so I'm very much in the camp of trading security over other concerns.
SSO is the only way to get 2FA working without the friction becoming prohibitive.
If SSO is a paid feature, only in some plans, you're selling an insecure product. You wouldn't make security patches exclusive to the enterprise plan, you shouldn't make 2FA/SSO exclusive either.