E-commerce Single Sign-On Not Dead Yet

FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."

single logon means..

[gl4ss]

..single login to phish.

'nuff said(that's enough, not snuff).

Re:single logon means..

[dgr100]

most users will have the same user/pass combination for most if not all their logins anyway.

I don't see how this offers *any* less security.

Re:single logon means..

[oexeo]

> I don't see how this offers *any* less security.

Because if I find out one of your unimportant accounts password, I can root your computer with it!

Re:single logon means..

[Taladar]

Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password.

Re:single logon means..

[rf0]

The problem with all of this is that all the clients are human and quite simply we make mistakes. I can;t think of a way to keep everything secure with out humans screwing up somwhere causing it to all unravel

Rus

Re:single logon means..

[IO+ERROR]

single login to phish.

And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.

Re:single logon means..

Or worse, they get written down on a piece of paper under the keyboard.

There is nothing wrong with writing passwords down.

Re:single logon means..

[mdfst13]

"Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password."

Why not?

Seriously, why not. It would be easy enough to add the ability to specify an extra password for certain accounts. If that's not in the various solutions that are currently available, that's a weakness in the *solutions*, not the concept. I couldn't find any information explaining if SAML or Ping's implementation included this capability or not. If they do not, then it should be added.

Frankly, for most sites with passwords, I don't really need a password at all. For example, with /. I only need it to verify that my computer (and account) is doing the posting. Same thing for recommendations on Amazon (although more authentication is needed for purchases). That's why I currently allow those sites (and others) to store my login info in cookies.

Re:single logon means..

[mdfst13]

"Because if I find out one of your unimportant accounts password, I can root your computer with it!"

That's generally not how these things work. I have had single sign on capability with networks previously. While they let me log in to my desktop from multiple computers, they didn't include admin access to that box, just access to personal information.

Any model that does allow this (e.g. this often occurs in Microsoft Active Directory networks) would be fundamentally broken. However, that is a problem with the implementation, not the concept.

Re:single logon means..

First-grade teacher, Ms. Brooks, was having trouble with one of her students.

The teacher asked, "Harry, what is your problem?"

Harry answered, "I'm too smart for the 1st grade. My sister is in the 3rd grade and I'm smarter than she is! I think I should be in the 3rd grade too!"

Ms. Brooks had had enough. She took Harry to the Principal's office. While Harry waited in the outer office, the teacher explained to the Principal what the situation was. The Principal told Ms. Brooks he would give the boy a test and if he failed to answer any of his questions he was to go back to the 1st grade and behave.

She agreed. Harry was brought in and the conditions were explained to him and he agreed to take the test.

Principal: "What is 3 x 3?"
Harry: "9"

Principal: "What is 6 x 6?"
Harry: "36"

And so it went with every question the Principal thought a 3rd grader should know. The principal looks at Ms. Brooks and tells her, "I think Harry can go to the 3rd grade."

Ms. Brooks says to the principal, "Let me ask him some questions."

The Principal and Harry both agreed.

Ms. Brooks asks, "What does a cow have four of that I have only two of?"

Harry, after a moment: "Legs."

Ms. Brooks: "What do you have in your pants that I do not have in mine?"

The principal wondered, why does she ask such a question?

Harry replied: "Pockets."

Ms. Brooks: "What does a dog do that a man steps into?"

Harry: "Pants"

Ms. Brooks: What's starts with a C and ends with a T, is hairy, oval, delicious and contains thin whitish liquid?

Harry: "Coconut"

Ms. Brooks: What goes in hard and pink then comes out soft and sticky?

The Principal's eyes open really wide and before he could stop the answer.

Harry: "Bubble gum"

Ms. Brooks: "What does a man do standing up, a woman do sitting down and a dog do on three legs?"

The Principal's eyes open really wide and before he could stop the answer.

Harry: "Shake hands"

Ms. Brooks: "What word starts with an 'F' and ends in 'K' that means a lot of heat and excitement?"

Harry: "Firetruck"

The principal breathed a sigh of relief and told the teacher,"Put Harry in the fifth-grade, I got the last seven questions wrong."

Re:single logon means..

[doofusclam]

Not if it was linked to a securid keyfob or similar.

In fact i'd pay money to buy one of these, then maybe 10 UKP a year subscription to have them build the infrastructure to support it, assuming that they made it cheap and easy for other companies to hook into it.

Re:single logon means..

[oexeo]

I was talking about users using the same password on multiple accounts, in response to parent; "most users will have the same user/pass combination for most if not all their logins anyway." I think you misunderstood.

Re:single logon means..

[ArsenneLupin]

And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up,

Solution: classes of passwords.

• The stuff that you really care about (your bank account, your login at your computer at home, ...) all gets different passwords
• The stuff that you care a little bit less about (bug reporting sites for various software, Slashdot, wikipedia, etc.) share a password. Note: when vandalizing wikipedia, you should use different passwords for your different trolling accounts, because they can (and do...) correlate various trolls by their passwords. So you just use login concatenated with your_common_password.
• The stuff that you care even less about (NYT, other online papers, ...) share another password
• That stuff that you care still less about (password at work, ...) yet another one

Stuff of same "security level" shares same password, so things stay manageable, while still keeping reasonable security.

Re:single logon means..

[oexeo]

> There is nothing wrong with writing passwords down.

I really hope your not a network admin, because if you are, then your users are screwed

Re:single logon means..

Not really, depends on what the passes are written on and how they're kept.

How exactly do you think large colocation companies keep track of passwords of all their servers. You think they're all stored to memory? What happens when that person leaves the company.

Re:single logon means..

[RKBA]

"...it's impossible for any human to memorize hundreds of usernames and passwords"

That's why I use Password Safe .

Re:single logon means..

[AllUsernamesAreGone]

They're stored in protected databases.

If I found a colo company writing a password down, I'd never touch them with a 100 foot cat5 lead.

Re:single logon means..

[mdfst13]

"I think you misunderstood."

I think most people would read it as I did, considering that you quoted "How is this less security" in your post rather than "most users will have the same user/pass combination for most if not all their logins." Something like 'I think SSO is actually more secure, because...' might have clarified your post (or I may still be missing your point). Further, the same objection applies.

If someone uses the same password for admin on their box as they do on throwaway sites (NY Times, etc.), then they are using that password policy badly. However, it is quite reasonable to use the same password to log in to both the NY Times and the Washington Post.

Btw, you might want to go back and reread the post to which you replied. Rereading your responses, you seem to be assuming that "this" (from the first quote) is sharing passwords for multiple logins rather than single sign on. I'm fairly certain that the original poster meant "this" to mean single sign on. I.e. how is single sign on less secure than sharing passwords across multiple sites.

Re:single logon means..

[Bishop]

I can guarantee that any password I write down on paper is far more secure then passwords in a "protected database." I would go so far to say that a company is negligent if it does not store a copy of critical passwords in an unencrypted form such as on paper or a simple file stored on removable media. Ideally one copy should be off site. Ofcourse the passwords must be physically secure. (Depending on where you work that may be in plain view on a desk.)

Re:single logon means..

[oexeo]

> I think most people would read it as I did

Granted.

Re:single logon means..

[rmezzari]

"it's impossible for any human to memorize hundreds of usernames and passwords"

Well, there is this nice software named "Gator eWallet" from the folks at Gator who helps you keep you passwords... Try it out! http://www.gator.com/home2.html

Re:single logon means..

[Cro+Magnon]

I only bother with two classes. Slashdot, K5, and my various work accounts are variations of a "standard" password. My financial accounts use entirely different and more secure passwords.

Re:single logon means..

Which do you think is more secure:

A piece of paper sitting on a desk with plain text password written on it.

Or on the same desk a USB memory key with an encrypted database of passwords.

Same physical security - but the USB memory key has the added advantage of encryption.

Re:single logon means..

[fuzzybunny]

There's a difference between single sign-on (a fundamentally flawed concept) and having a single set of credentials. In the latter case, the user may be required to enter, say, a PIN code multiple times for multiple applications.

If you combine this with some sensible physical medium, like a biometric identifier or a hardware token (smart card, etc.) you're not going to be worried about loss of confientiality as much as if you have a single stupid service that just lets you authenticate to everything in one blast.

The concept of having users enter the same password, when (a) that password is reasonably secure, (b) the means used to transmit the authentication is reasonably secure, and (c) the whole thing is combined with some factor that makes it impractical to replay an authentication sequence means you're not going to be subject to phishing/fraud.

Re:single logon means..

If you're talking about putting the passwords on a networked device vs writing it/printing it on paper for security then the latter is more secure.

The risks from the latter are known, can be evaluated and can be stopped. They pretty much boil down to stopping anyone else seeing the paper before you destroy it and trusting your staff. The risks from the former are unknown, how many holes are there in your network & software.

I'm not sure what you mean by "protected database". They can't use one-way encryption on the passwords because they wouldn't be able to get them back out of the database. Even with key encryption you're then back to how safe the physical storage of the keys is which is the same issue as writing down the password ...only now you've added a lot more software (hence risk) into the equation.

Re:single logon means..

The average /. reader is an idiot. Half of /. readers are below average. Are you scared yet?

I know this is meant to be "funny" but I thought I'd point out that of course you have no idea about the "average /. reader". All you know about are the writers. ;-)

Re:single logon means..

[Bishop]

The USB memory stick also has the disadvantage of encryption: You need a password to access the passwords. There is also the risk of file corruption. The purpose of the passwords on paper or in a simple text file is for worst case recovery (admin dies, or immeditate access is required). Paper is often best as computer media is more prone to corruption. The physical security of the passwords is paramount. Total security is an impossible goal, instead one must manage the risks. (Manageing risk is a cliche, but it is true.) Adding encryption increases some risks. Improveing physical security usually does not increase the risk, but may be prohibitively expensive.

My glib example of leaving the passwords on a desk as sufficient security is a rare case. For most organizations a safe in the server room is probably sufficient. If an attacker has access to the safe, then the attacker could just as easily install keyloggers on all the servers.

Re:single logon means..

[Justin205]

Or they get stored in one's Palm/Zaurus/PocketPC/Organizer/Computer in an encrypted file...

Re:single logon means..

[kevinbr]

SAML cver authentication AND authorization. A site may ask for extra authentication before granting authorization. i.e. a second password or a smart card.

Re:single logon means..

[Queer+Boy]

it's impossible for any human to memorize hundreds of usernames and passwords

A Secure Keychain
To make it easy to manage the daunting number of passwords and permissions intrinsic to network computing, Mac OS X includes a Keychain. The Keychain stores all your information to log onto file servers, ftp servers and Web servers and to use encrypted disk images. Mac OS X automatically adds your .Mac account information to your Keychain. When you log in to Mac OS X, the system opens your Keychain. You don't have to enter your user name and passwords to access this data. You can set Mac OS X to lock your Keychain when the system sleeps or is inactive for a time. The system will ask you for your password the next time you try to access secure data. Other users on the system cannot access your Keychain or its data.

Re:single logon means..

[arminw]

...That's why I use Password Safe [sourceforge.net]....

Macs under OSX have a thing called keychain which is an encrypted repository for passwords. Normally it uses the account log-in password to unlock, but it can be secured with a seperate password. For many sites, the user gets prompted whether he/she wants to save the password they just created on some site to the keychain. After that, if the keychain is unlocked, the password is supplied automatically if the site is visited again.

Re:single logon means..

[RetroGeek]

A single piece of paper in an envelope, sealed, in a floor safe.

Has to be said

We welcome our new overlords.

Re:Has to be said

[Erbo]

Hey, if Andre's going to be our new overlord, I'm down with that. :-)

What's wrong with...

[lawpoop]

PGP for online transactions? Heck, even stupid stuff like bulletin boards and slashdot. I'm sick of having to make up new user ids and secure passwords for every freakin' site on the web. Why not just let everyone post PGP signed messages?

Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

Re:What's wrong with...

[onion2k]

Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

Yes. It'd be a pain in the arse for web developers.

All these single sign-in systems are made (or broken) by the web developers who implement them in the sites they build. If theres an easy way to integrate the technology into your code quickly and cheaply then people will put it in. If it takes a week of reading docs and another week of coding then its never going to get used by the people who'll be rolling it out onto the net.

Re:What's wrong with...

[otisaardvark]

These are just observations, and some of them are very overcomeable and possibly stupid.

Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:

Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.

There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.

Re:What's wrong with...

[Jakosa]

To me its simply part of the internet. I use the same two or three passwords on most webpages and let my Opera browser remember them for me. I am not sure if I want a encrypted signature on slashdot for example.

For banktransactions, public data etc. we have in my country a state financed digital signature, but it is still in its infancy and has had a lot of problems (The good thing about it is that is can be used with all OS and all browsers, the bad thing is I have never been getting it to work). I don't know about PGP is mature enough to realy work, but for me it does not belong on slashdot.

Re:What's wrong with...

You can get an X.509 Client-side certificate from places like verisign etc. and use client-certificate authentication, which works in any of the major browsers and with any of the major web application platforms. Problem solved.

Re:What's wrong with...

[rf0]

Also remeber most people are idiots and won't want to bother with all that. Most people just want things to work.

rus

Re:What's wrong with...

Another reason why any single-sign-on system is bad.

Re:What's wrong with...

[vinthewrnech]

see the article PGP Identity Management: Secure Authentication and Authorization over the Internet at http://www.pgp.com/resources/ctocorner/identitymgm t.html

Re:What's wrong with...

[dbacher]

The best way to think about this is like credit cards.

Would you want to give a copy of your credit card permanently to each store that you might ever want to shop at so that they could tell that it was you when you came back?

With a certificate based solution such as PGP or SSL, you have to have a copy of the signing certificate on each device that you want to use to access a service. You must have a copy of the reading certificate on each service that you want to access.

If any of those devices has a security compromise, etc. then you must go to each site that you would access and update the information.

However, with the single sign on solution, one site has the information to verify that you are you, through whatever technology is available, using any mechanism available. You can access the protected sites from any device, anywhere.

Instead of the sites getting all the information about you, all they get is a number. The organization providing single sign in can confirm you are really who you say you are.

With single sign on, if your information becomes compromised, you know who to blame, and so that party will reasonably try to resolve disputes.

If you look at it like a credit card, if your credit card becomes compromised, you call the bank and tell them, and then they stop accepting new charges. If you see a charge you don't agree with, you can call and investigate it and usually you can get it rolled back.

This same thing would hold true for single sign on. If there's a problem, if you think people are using your single sign on, you have someone you can go to and complain to to get the problem resolved.

From a website standpoint, it means that the website doesn't have to verify your e-mail address or anything else to give you access, all it needs to do is verify that you have a valid token. This means no more "you can't use this feature until you receive the e-mail that we sent you" and it means your e-mail address isn't propogated to hundreds of sites with privacy policies that could change at any time (and that could become sources of spam).

Re:What's wrong with...

Personally, I'm waiting for a more personal security feature to come with computers

Perhaps, M$ or 3M will come out with the retinal scanner, fingerprint identifier, voice recognition, finger pricking DNA extractor login feature.

Re:What's wrong with...

It wouldn't be in a pain in the ass, it is a pain in the ass. Right now, the technology is sufficiently immature that implementing it requires reading tons of spec--fair enough. But that's true of any technology, early on. It's not like people are still manually inserting all their HTTP headers into CGI scripts anymore; we've got stuff like PHP that automates that and more complicated tasks for us. Similarly, a single login system, once sufficiently popular, would just be a matter of including some module that would take care of it automagically for you, just like most Web scripting languages can automagically handle sessions for you, without having to maintain your own database update, timeout, and cookie/no cookie fallback code. Authentication is already complicated enough, I should think a Single Way To Do It would only improve things.

Re:What's wrong with...

I think that I can answer some of your concerns:

Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

The distinction is extremely important, because having a local mechanism means that the key owner is autonomously in control of its security, rather than being architecturally obliged to defer security to some third party. If you want to lock the key inside some other security mechanism, such as a biometric token for example, that decision is transparent to the architecture.

Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

Not all applications require highly assured identity. You've just given a good example of where the cost/benefit tradeoff goes one way. There are many examples, such as banking or voting, where the tradeoff would go the other way.

It should be noted that secure identity and anonymity are not mutually exclusive, by the way. You simply need to establish an authority whose policy is to issue anonymous identities. Applications can then decide whether to accept that particular authority.

Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations).

Scalability and deployment are indeed limiting factors, though less so as computation and network performance continues to improve exponentially. Also, the retooling of applications is far from trivial. In practice, it's the main limiting factor at the moment, and it's starting to get a lot of attention.

But no identity infrastructure needs to bebe built globally when most of the value is relatively local. My own identity requirements, for example, span a limited geography and a limited range of interests. People are not the only sort of identity principals that will eventually emerge, but they are a useful place to start.

All these are reasons to favor a federated identity model, because it lets us begin with small and useful implementations and scale up as required. Yes, in a sense we're avoiding the problem, and I think we need to acknowledge that and plan for it. But there are more immediate problems which should keep us busy enough for now.

Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

There is no requirement for any individual to be limited to a single identity. Some identity models recognize this explicitly. Likewise, there is nothing to prevent you reserving an identity for some specific domain, such as legal use.

Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

This is why cryptographic systems such as X.509 and PGP offer a selection of algorithms, and in general why modularity and peer review are especially important in these systems. But these comments also hold for much of our technological infrastructure. The DNS has a small number of root servers, for example. All these vulnerabilities merit attention, of course, but again we are usually willing to submit them to some kind of cost/benefit analysis.

Training. In order to be useful a lot of people have to use PGP. The conc

Ping Identity Made Simple

[amigoro]

Ping Identity made simple.

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

Re:Ping Identity Made Simple

Ping Identity made simple.

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

I vote (D) Redundant, since that picture is in TFA!
whore.

Re:Ping Identity Made Simple

[Twylite]

Check out the i-Name initiative at Identity Commons. It's standards-backed by XDI.

About time too

[samael]

There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.

Re:About time too

[oexeo]

> There's no way I can keep track of the 200-odd different passwords I have

Don't worry, I keep track of all your passwords for you

Re:About time too

[Errtu76]

May i suggest you take a look at KeePass Store all your passwords in a single database that you can access with either one master-password, or combined with a key-disk that you have to insert first.

Re:About time too

[xstonedogx]

There's also YaPS for Palm OS.

Re:About time too

[gilesjuk]

Some OSes/browsers come with a tool to keep hold on them. I'd sooner have that info on my computer than have a single login to all manner of sites.

Re:About time too

[arose]

There is software that can do it for you. I'll rather track my password localy then have corporations "sharing" my data.

Re:About time too

[samael]

And when I used 6 different computers on a regular basis?

Re:About time too

[russint]

There is also GPass for Gnome and PwManager for KDE

Re:About time too

[Sentry21]

I have a few basic passwords I use for most services - from 'basic' to 'advanced' - and I change them all around occasionally.

The problem I have is websites with stupid restrictions - e.g. 'your password must be between 6-8 characters' (none of my passwords are), or 'your password must contain at least one capital letter and one number' (my 'secure-by-virtue-of-being-almost-never-used password does not), and so on.

Forcing people to change passwords every e.g. 60 days is also a terrible idea, because people will soon run out of easy-to-remember-yet-secure passwords and will just start incrementing numbers, as some of my coworkers do, which makes things trivial.

Re:About time too

[Cro+Magnon]

Forcing people to change passwords every e.g. 60 days is also a terrible idea, because people will soon run out of easy-to-remember-yet-secure passwords and will just start incrementing numbers, as some of my coworkers do, which makes things trivial.

Or they'll write their password on a post-it note and stick it on their monitor.

Re:About time too

[atomico]

I use a nice application in my Symbian smartphone (a Sony Ericsson P800, but there are versions for Nokia phones too). The app stores login identities and passwords in encrypted form both in the phone and in a desktop computer, and it is possible to synchronize both databases. It is really handy, believe me. The only important password becomes the one to access the application.

I am sure there are several implementations of the same idea, also for Palm OS and possibly for Windows PDAs too.

Re:About time too

Unfortunately, it involves Humans and therefore will not be handled correctly.

Re:About time too

[Twylite]

Password Safe is your friend.

Re:About time too

[l0b0]

There's no way I can keep track of the 200-odd different passwords I have

Try KeePass (OSI certified'n'all). I've been using it for months on a USB stick, and it's quite handy.

Re:About time too

[gilesjuk]

Have the tool able to copy an encrypted database onto a USB pendrive.

Re:Don't read this

[JNighthawk]

Why do you even bother to post? Why am I even bothering to reply? *sigh*

.NET Passport helps you sell out your children

"Kids Passport helps participating sites and services obtain parental consent to collect, use, or disclose a child's personal information. You or your child can register his or her .NET Passport account."

As opposed to "...will ensure children's personal information is kept confidential...".

Re:.NET Passport helps you sell out your children

[Cougem]

Don't be stupid. Are you seriously fighting for censorship for pre-pubescant children who have little judgement of their own, when internet paedophilia is rife? God, I'd hate to be your children
"Darling, if you're ever upset, and you want to talk to me, ask yourself 'Will Mummy and Daddy use this knowledge against me, for insurance premium purposes?'"

Re:.NET Passport helps you sell out your children

What are you on about? I'm not fighting for censorship. I merely pointed out that KIDS .net passports will give parental consent to every participating .net web site/service to deal with information about minors.

Whore-free article text

High-stakes venture
Funding quest a gamble in new Internet economy
By Ross Wehner
Denver Post Staff Writer

Sunday, November 28, 2004 -

Andre Durand adjusts his black cowboy hat and eyes a roomful of tech-industry players milling around blackjack tables at Broomfield's Omni Interlocken Resort.

It's casino night at Digital ID World, a high-level Internet conference that costs $1,795 per person. Durand, 36, is a founder of the conference and has a lot riding on it this year.

He, like many other Internet entrepreneurs, is fighting to come back four years after the tech economy meltdown.

Everyone here knows Durand as a whiz kid who started two multi-million-dollar companies before he was 32. But the money came easier back in the 1990s.

Durand's firm, Ping Identity, is on the verge of launching software that could make Internet commerce easier and more secure. Companies such as Microsoft, IBM and Hewlett-Packard are chasing the same solution.

But he needs a lot of money just to keep swimming in that shark tank - at least $8 million in venture capital. He needs the help of the people in this room.

Nearby is Thor Hauge, an investor from Nokia Innovent, the venture capital arm of Nokia, which invested $250,000 in Ping early on.

Durand then spies Bob Blakely, IBM's point man for computer security. He's in charge of protecting some of the largest networks in the world. One deal with IBM could transform Ping from a tiny startup into a recognized industry leader.

It's time to get this party rolling, Durand thinks.

He leaves his gin and tonic at the bar and heads toward an electronic bull, set up for the event. Real bull riders need an eight-second ride. Durand mounts the bull and hangs on for nine glorious seconds, arms flying above his head, before flying onto the mat. When he springs to his feet, people applaud.

Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

Durand slaps backs at every table and offers the N-Gage to whoever stays on the bull the longest. Within 10 minutes, there is a steady stream of people hooting and hollering and getting tossed into the air.

Even Blakely rides the bull. But Craig Wirths, an old friend of Durand's, wins the N-Gage with a 33-second ride.

Andre Durand is standing in the casino of the new Internet economy, where having a great idea isn't good enough anymore. To succeed now, Durand must also become a true chief executive, someone who can execute a business plan and devise the DNA of a company that will last.

Like Microsoft, for example.

The next day, Durand will help unveil Ping's first software product at Digital ID World. Then he and a Ping board member will spend two weeks in California's Silicon Valley meeting with a dozen venture capital firms who chew and spit out guys like Durand every day.

A lot is riding on the next few weeks.

Payday for first company

A communications firm that Durand began when he was 25 was acquired for $10 million in 1998.

Durand has worked insane hours for most of his adult life. He launched Durand Communications in his hometown of Santa Barbara, Calif., in 1993 at the age of 25. He worked from dawn to nearly midnight seven days a week. The company sold software to people who posted online bulletin boards, before the rise of the Internet

His drive paid off in 1998 when Durand sold the company to Denver-based Webb Interactive Services for $10 million in a stock swap. After Durand paid off his angel investors, he was left with more than $1 million in Webb Interactive stock.

Part of the deal was that Durand keep working with Webb. He drove from California to Denver with a bike and all of his possessions, which fit neatly in three boxes.

The first person he met in Denver was his future wife, Kim Gunning, who worked at We

Why?

[JNighthawk]

Why do you have so many different passwords? Just come up with a few sufficienly complex ones. I've got 4 different passwords that I use, each having their own "security level". Slashdot is a level 1, since I don't care about someone stealing my account here, whereas my account for World of Warcraft is a level 4 :-P

Re:Why?

[bogado]

Root in your computer? Level 3? Just kidding... :-D

Re:Why?

[HawkingMattress]

Well it's a basic rule of security: never use the same password for two different things. If you wow password is compromised for whatever reason, maybe a determined person could log onto your machine with it ? or make bank transactions ? Sure that would require knowing your identity, or ip, but just posting to a web board or chatting on irc with your wow nick could reveal your ip for instance.

But i agree with you for things where security is not that important (I use the same password for my slashdot account, and hundreds of other "not so important" accounts).

Re:Why?

[JNighthawk]

I guess I'm not a true geek. All important stuff I conduct in real life. I don't do any web banking, I don't do any web stock-trading. I don't do any of that, so I'm unsure what could happen. The only thing that I'd really miss would be my AIM account, which I just bumped to level 2 recently. All of my convos happen on AIM instead of the phone, so I have no idea what I would do if I lost my screen name.

Re:Why?

I use the same password for my slashdot account, and hundreds of other "not so important" accounts.

Thank you for the information. Do not be not surprised of a near-future karma drop, ebay buying frenzy and porn site misuse.

Re:Why?

I have four levels of passwords as well:

1. Most sites.
2. Email.
3. Sites where it really matters (banking, etc.).
4. Admin on my computer.

Most of my level 1 sites share the same password and log in automatically. Most of my level 2s share a different password and my email client logs in automatically. None of my level 3 sites share a password. Instead, I keep an encrypted list of *random* passwords. I don't even try to remember the level 3 passwords. I just remember the encryption password. My admin password is different from any of these.

In other words, I already have Single Sign On (for the level 3 sites). I just don't rely on an outside system to implement it.

Re:Why?

[HawkingMattress]

Dude, do you really think i use the same password for slashdot and really important things, like porn ?

Re:Why?

I don't even need a password. Beat that!

Re:Why?

[NardofDoom]

You may be interested in my Pronounceable Password Generator.

I use it to generate easy-to-remember but hard-to-guess passwords. Just run through it a couple times until you find one that suits you.

sourceid.org

[Ized]

Incase somebody is wondering where the open-source implementation of Ping ID is hiding, it's here:
Sourceid.org

Re:sourceid.org

[Ized]

How does this get modded flamebait? I've included a link to the site that has the open-source implementation meantioned in this news article?

Re:sourceid.org

you must be new here right?

Re:sourceid.org

It's flamebait because the page only has java and .NET code, if they were serious they would offer a C library.

Let's count the servers and workstations under my admin that have a JVM or CLR installed ... hmmm ... ZERO! Number of planned installations ... ZERO!

Re:sourceid.org

Lasso is another free software implementation (GPL) of Liberty Alliance. And it is a C library with bindings for several other languages.

Re:sourceid.org

[owlstead]

Copy: open-source+implementation of Ping ID
Google paste: http://www.google.nl/search?hl=nl&q=open-source+im plementation+of+Ping+ID&btnG=Google+zoeken&lr=
First hit. No, wasn't wondering at all. But thanks for the link anyway.

Funniest part of the article

[LeninZhiv]

Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

Greatest unintentional humour of the year!

Re:Funniest part of the article

What the fuck do you mean?

Re:Funniest part of the article

[forgotten_my_nick]

If it is brand new then it is most likely the NGage-QD and that is the coolest combination of cellphone, e-mail device and video game around.

I think you are referring to the original NGage which is a compelete joke. They are both differently designed machines.

Re:Funniest part of the article

[upsidedown_duck]

If it is brand new then it is most likely the NGage-QD...

Who has heard of this? Why is it that they bought the farm with rediculous marketing for the first NGage, and then they forget to tell anyone about the second? Amazing.

Re:Funniest part of the article

[forgotten_my_nick]

>Who has heard of this?

Lots of people.

It is quite popular where I live and hard to get in the shops (sells very well). Own two myself.

Cheap and sim free as well as two games and the ability to download stuff via bluetooth makes it well worth the buy. It also has all of the design flaws of the original Ngage removed.

Re:Funniest part of the article

Strange this would get offtopic as its on topic to the original poster. I guess someone got upset (like who would moderate down this far).

M$ is evil

[Invalid+Character]

Many Linux users view Microsoft as the evil empire.
Me thinks this Ross Wehner's /. has taken some of our fellow slashdotters too seriously

Here's how it actually works

[bjpirt]

Why is there no link to the actual ping identity website in the submission?

Re:Here's how it actually works

So we don't Slashdot them, of course ;)

A crackers dream

[Underholdning]

Hack once, use everywhere.
Seriously - all the sites that I would trust a single-sign-on thingy already have that. I use the same password at all those less important places. (I'll probably get bashed to hell for this, but I'm sure most of you do the same)

Re:A crackers dream

[themaidtricks]

Or nightmare?

If every single person had one internet identity that could not be altered, perhaps society would punish crackers more severely.

Re:A crackers dream

[henleg]

Would be nice to have a single login, but a single login that is connected to different levels.
Such as; one part I can use to get recognized by the average shop-site, one part is used for payment, one part is used to login to email etc.
See what I mean? Even if a cracker would break into one level of the single login-service, he would only be able to access this particular part, so he could get recognized by the e-shop but not order anything or access the user's email.

Question:

[bogaboga]

Who had attempted top kill it? Or who had declared it dead?

Re:Question:

[Ized]

INTERNET (Reuters): Much hyped Single Sign On iniative was involved in a internet superhighway accident. The initiative got crushed into it's complex implentation, slow adoptation and couldn't not be revived. It was pronounced dead onsite by bypassing Slashdotters.

Re:Question:

"Who had attempted top kill it? Or who had declared it dead?"

Netcraft of course. Duh!

A sure failure, because...

[__aavljf5849]

People in cowboy hats can not be trusted with technology.

Re:M$ is evil --Corrected

[Invalid+Character]

Arrrg should have previewed! I know that made no sense at all, so this is what it should have been.

Many Linux users view Microsoft as the evil empire.
Me thinks this Ross Wehner has taken some of our fellow slashdotters too seriously

in Korea

[hrm]

In Korea, single sign-on is only for old people.

Re:Generating Passwords Using MD5

[oexeo]

Now I have a 33 character, fairly uncrackeable password.

It was fairly uncrackable password generation method, until you told *everybody!*

The article just lost any credibility it had

Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

I take ithe authour has never spoken to any geek besides his 12 year old nephew who 'knows computers'

Re:Ping Identity Pre-Announces Hostile Takeover of

Where is your link to mod this post retarded?

SSO in UK

[deletedaccount]

There is a sucessful SSO mechanism used by the education and health sectors in the UK. It has around 3 million users and over 250 target resources. It's called Athens and has been around for years. Eduserv Athens website

Re:SSO in UK

There is another interesting project too :-) : Lasso http://lasso.entrouvert.org/. It is a C implementation of the Liberty Alliance specifications with a lot of bindings (python, java, PHP, C#). I'm one of the developers of Entrouvert http://www.entrouvert.com/, a french free software company. We are trying to offer a free SSO solution. We have also a framework to test it called Souk http://lasso.entrouvert.org/souk. Enjoy with it !

-1 - SELF DEPRECATING WEINER

wear it

Bad Name

[oexeo]

Seriously, when you're dealing with security you need to give your service a good title, would you really trust a company called "Ping" to safe-guard your security? OK, you might, but I think a lot of the general public would not.

Re:Bad Name

[xstonedogx]

If we're talking about the general public all we need to do is tell them it's like "Pong" and they'll soak it up.

Re:Bad Name

[44BSD]

It's gonna suck when the golf equipment manufacturer sues these guys.

Re:Bad Name

[Just+Some+Guy]

[W]ould you really trust a company called "Ping" to safe-guard your security? OK, you might, but I think a lot of the general public would not.

Would you really trust a company called "PayPal" to safe-guard your money? OK, you might not, but I think a lot of the general public would.

"Ping" is no better or worse than the myriad of other contrived names for Internet services.

Sorry, some of you /.'s have not got a clue

[oexeo]

There are far to many posts proclaiming "I only need one password, that'll do me, and I generate my password using the following or step by step procedure ...". This is a Linux/geek community that probably attracts a heap of crackers (or whatever you wish to call them), gee, do you think that just maybe your giving a little too much info out?

Re:Sorry, some of you /.'s have not got a clue

Reminds me off:

My root password is the name of my pet.

Of course my macaws name is Q!7h}i2/@1u4 and changes every 30 days.

Re:Sorry, some of you /.'s have not got a clue

... do you think that just maybe your giving a little too much info out?

No, because I have come up with the perfect system.

You know that story The Purloined Letter by Edgar Alan Poe? The one where they searched all through an apartment for a "hidden" letter that was in plain site the entire time?

I simply use that same technique for my password, which is (literally) the word password. Just to be on the safe side I sometimes change it to password1, password2, etc. There are literally dozens of possibilities to keep the would-be-hacker frustrated.

Shrug...

[Nijika]

Are we that shopaholic in this society that we can't type in a username and password to an online store before we buy buy buy?

Frankly I -want- to think before I click "purchase". I think the real benefactors of this technology aren't the consumers but stores that can rush you in and out the door as fast as possible.

Re:Shrug...

[Terrasque]

Just remember, it ain't us customers buying, it's the companies selling. And they DON'T want you to think before you click "purchase".

Actually, I don't think they want you to think at all; just drool a little and buy the shiniest, most expensive thing they have.

Re:Shrug...

[Christopheles]

Er, but why should we have to manage a database of passwords and logins and personal data, when it can all be automated? If you _really_ need that time to think, how about just getting out a blank sheet of paper and covering it in non-sensical ramblings. Those of us who would rather not repeat such useless actions over and over will be doing other things.

Re:Shrug...

[Nijika]

Like snap buying a pack of 5 Bruce Lee bobblehead dolls or something. Gotcha. I'll stick with mulling over purchases and deciding wether it's worth enough trouble to even sign in :)

Re:Shrug...

[Christopheles]

I guess my point is that signing in shouldn't be any trouble, that's just inefficient. The cost of usage for the interface should be insignificant, what you should be considering is if the pack of 5 Bruce Lee bobblehead dolls are really worth $2.95, which is really more like $3, plus S+H which brings it to a minimum of $6, then you have to consider the utility you get from these dolls, which can be roughly approximated to be zero for anyone like me.

Ho hum....

[TractorBarry]

Single sign on schemes.

Single operating system monoculture.

Single biometric identity card/device.

etc. etc. et-bloody-c.

All are worthless. Why ? because a single breach and the entire wall falls down.

And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.

Personally I'll stick with my current myriad user name, password combinations thanks.

Re:Ho hum....

And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

Good you got it all figured out.

Re:Ho hum....

[upsidedown_duck]

While I agree with you, some of the principles of the Liberty Alliance are that it is a distributed system. I don't know much about it, honestly, but the list of companies on board are competitors and rivals who certainly wouldn't want to share databases, if they could help it. They wouldn't want Microsoft to hold their data, that's for sure.

Re:Ho hum....

By your fucked up logic, you should also drive a car that has parts made by a slew of different manufacturer. Fuck - try to get different parts of the car assembled in different parts of the world.

Fucking stupid.

Another free Liberty implementation

[Dr+Schizzo]

Lasso is another free (GPL) implementation of the liberty specs. It is still in heavy development but compatibility against SourceID (PingID solution) has been achieved.

The great thing in Lasso is the language bindings; PHP, Python, Java, C# (anything .NET actually), integration in existing website is easy (well, it will be much easier when the documentation is completed).

E-commerce Single Sign-On: Paypal

[Uukrul]

E-commerce Single Sign-On exists and it's name is PayPal.
You can shop in thousands of stores at eBay.
Even if you are a Slashdot Geek you can use your PayPal acount at Source Forge.
Google search Paypal Donate returns a lot of blogs, open source projects and other webs that belive that Paypal it's the Single Sign-On E-commerce solution.

85 % growth and 437.60M revenue says something about it.

Re:E-commerce Single Sign-On: Paypal

[cranos]

Yeah because paypal has proven themselves so trustworthy in the past.

Re:E-commerce Single Sign-On: Paypal

[Epistax]

I don't know what to think about paypal. I once gave them control over one of my bank accounts but after reading all the bad things about them I took it away from them and now have nothing registered to them. Luckily paypal lets unregistered users use their service, however do expect spam whenever you use it from them.

Re:E-commerce Single Sign-On: Paypal

[DogDude]

Paypal and eBay are nothing but shit. Full of scammers and scammers. Quite honestly, anybody that trusts eBay is a moron. And yes, I am referring to its millions of users. And yes, I am suggesting that millions of people are wrong.

A real, trustable single login is used by Yahoo. Yahoo has thousands of stores, their own services, and a very impressive, responsive infrastructure that isn't full of thieves (or run by thieves posing a bank).

Re:Generating Passwords Using MD5

[xstonedogx]

Let's see...

Phrase: "In Soviet Russia, dot slashes you!"

32 possible positions of 21 possible "letter(s) that come after e" = 672 possible munged phrases to MD5.

I think I'll stick with "pwgen -s 20".

Maybe not dead, but...

[Per+Wigren]

In Korea, E-commerce Single Sign-On is for the elderly.

I've done SSO

[silverbax]

I've done SSO, using both Liberty and not, many times over the past couple of years.

Generally, between financial applications.

Omelet Du Fromage

[Invalid+Character]

Omelet Du Fromage.
"Access Denied."
Omelet Du Fromage!
"Access Denied."
Omelet Du Fromage!!!
"Access Denied: Self destruct mechanism activated...5"
GRRRRRRR!!!! OMELET DU FROMAGE!!
"...4"
OMELET DU FROMAGE!!
"...3"
OMELET DU FROMAGE!! OMELETE DU FROMANGE !!
"...2"
OMELET DU FROMAGE!! OMELETE DU FROMANGE !! OMELETE DU FROMANGE !!
"...1"
KABOOOOOM!!!

//Dunno if any of you ever remember/watched dexter's lab?

Re:Omelet Du Fromage

Please, Dee Dee, do not push that button ! ...ZAP !...

Re:Omelet Du Fromage

[eriksarcade]

in soviet russia, dexter sounds american!

NOBODY expects the Spanish Inquisition!

Our chief SSO is Athens...
Athens and MS Passport...MS Passport and Athens....
Our two SSOs are MS Passport and Athens...and Paypal....
Our *three* SSOs are MS Passport, Athens, and Paypal...
and an almost fanatical devotion to Bill Gates....
Our *four* ...no... *Amongst* our SSOs.... Amongst our Single Sign-On solutions...are such elements as...

Availability of the source isn't the issue

[Tim+C]

Security of the database is. Availability of the source helps to make sure that that has no flaws, but that's useless if an insider rips off a portion of the db to sell to the highest bidder.

Even ignoring that, they at least have access to statistical and marketing data on who visits what sites when, potentially even how much they spend; that could be quite valuable to the right people.

Porn tried this...

[AndyChrist]

And tried it, and tried it. Everyone and their cousin set up some "adult verification" affiliate network, to the point where there's so damned many of them, with such scant content you may as well not have any consolidation of logins.

How is this any different? Why can any of these parties succeed where pornographers have failed? IS MICROSOFT BETTER THAN SMUT PEDDLERS?

Marketing Scam

Liberty is an affiliate program that ties consumers into related "circles of trust". There is not motivation for affiliates to grow the circles of trust to encompass competitors. This means many, many small circles of partner companies will emerge, each requiring their own authentication scheme.

SSO will not happen.

:What's wrong with...

[oliverthered]

Identity management:
I cannot ever see the need for uniqueness online, and in saying that I require is you are asaying that I may ahve intent to commit a crime, which isn't work the risk of your ability to control what I can do.

Training:
Well, you don't need training really, it's all in the software, all my passwords are already encrypted with kwallet, and I expect that if I use kmail it will automaticly sign my emails.

All I need is for a signiture tag to be added to the xforms or xhtml specification and my browser can transparently sign any data that I post.
(I would also add a date field to the post data so that you know when the message was sent, this will prevent a duplicate message being send by a hacker.)

The main problem I can see is viruses and trojons because as soon as someone has broken into your pc your identity is stolen, and that is going to be the problem with any time of identity management system you can think of.

Re::What's wrong with...

[otisaardvark]

Virtually anything 'government'ish will require uniqueness. Getting electronic prescriptions dispensed, online voting, motor vehicle ownership changes, etc.

Yes, there are civil liberties concerns, and they are very valid. The fact remains that uniqueness is necessary if certain functions are to be carried out online. Therefore PGP signing is not sufficient.

Re::What's wrong with...

[oliverthered]

Getting electronic prescriptions dispensed:
Currently it's easy (well in the UK) to get someone else to get you prescrition. Hell it's even easier to get them on the black market, and often cheaper.

Online voting: I vote with my feet and at demos not to some stupid head counter. I'm not even on the electoral regester.

Motor vehical ownership:
The UK governmens currently running a scare campain about this one, but what they fail to realise is that 'criminals' buy a car with tax on and then sell it before the tax runs out.
Anyhow I can rent a car, or borrow one or .... which makes the users identity variable.

Korean joke

[JaF893]

In Korea, Single Sign-On is only used by old people!

Re:Korean joke

[arose]

In Soviet Russia singles sign in to YOU!

PGP and Identity

[vinthewrnech]

Single sign on using a PGP key was done back in 98.. see http://www.pgp.com/resources/ctocorner/identitymgm t.html

Come on moderators!

Moderate this comment
Negative: Offtopic [mithuro.com] Flamebait [mithuro.com] Troll [mithuro.com] Redundant [mithuro.com]
Positive: Insightful [mithuro.com] Interesting [mithuro.com] Informative [mithuro.com] Funny [mithuro.com]

Anyone who mods up any post that has that kind of nonsence in it, regarldess of how good the content is, does not deserve mod points.

ATMs suck

[jamezw]

I hate single signon! In fact, I wish I had to use a different pin number at every ATM machine too!

Shibboleth

[forsetti]

Shibboleth, from Internet2, provides much the same, and is being rapidly adopted by Higher Ed and vendors supporting Higher Ed. As SAML 2.0 is adopted, word is that Shib and Liberty Alliance may begin to converge.

Re:Shibboleth

[deletedaccount]

It really isn't that difficult for one SAML target/origin to support multiple SAML profiles, including liberty and shibboleth. I expect that comercial software with SAML support (such as Novel IChain) will be developed with this in mind. The real problem is coordinating trust on a business level. E.g. Does service provider x trust identity provider y to make authentication assertions about users. I suppose a few publicly available identity providers might emerge, possibly basing themselves on existing services. This is what passport did: have a hotmail account? then these services trust MS to authenticate users on their behalf.

But, what if...

[neilb78]

you could change all of those passwords in a single place. If there were single signon, then you could change your password once instead of going to every site and changing it. More like corporate security where you have to change your password every 30, 60, or 90 days. If you were the victim of a phishing scheme and later realized it, you could change your password - done.

Identity Commons

[The+Pim]

Not to bang on these guys, but for an open, non-commercial, distributed identity system, with working code, see Identity Commons.

Re:Identity Commons

[Broadcatch]

SourceID is open source, but not free. Identity Commons software is FOSS (BSD/GPL) and even more distributed - literally anyone can become an identity broker. It's also based on open, OASIS standards XRI, XDI and SAML. Cool stuff. It's not complete yet, but you can get an i-name now.

Why do we need a single sign on anyway?

[techstar25]

In "the real world" I have several different ID numbers:
SSN
Bank account number (more than one)
Credit card number (more than one)
Employee ID
Student ID
Drivers license number
Supermarket loyaty discount card number
Blockbuster/Movie Gallery number
Library Card number
Auto/Home/Medical insurance ID
Voter Registration ID
I think I'm better off having those as separate numbers, and just keeping the cards around so I don't have to remember them. Why should online be any different? Can you imagine a world where all those numbers are the same, and are maybe our telephone number for instance (making everyting easy to remember). Scary.

better solution

[Compukid]

I wrote an article about the solution to many logins and passwords...

Re:better solution

[Yer+Mom]

The problem with your system - and every other single sign-on system I've seen - is that you end up giving out the same email address to everyone. So, when the spam starts rolling in, you don't know who sold you out, or has dire security.

I use sneakemail.com to give each service a separate email address. This paid off when a phishing scam mail came in yesterday, and I was able to pinpoint exactly who leaked my address, and will thus not be getting any of my money in the future.

Any single sign-on system that doesn't work with that setup, I'm not using.

Mozilla

[Asic+Eng]

Isn't that becoming somewhat obsolete, now that browsers (like Mozilla) have password managers? I just have one master password for the password manager, and Mozilla remembers all the login info I need. Personally I much prefer that de-centralized approach to having something like Passport. I admit though, that this is not as convenient when you use multiple browsers (e.g. one for work, one for home or one in an internet cafe on vacation).

Password managers

[dpilot]

And on this thread we have many password managers...
One for Windows (I'm sure there are more)
One for Palm (I'm sure there are more)
One for Linux/Gnome
One for Linux/KDE

Plus I use a thing called pwsafe, which I believe may be a back-level KeePass, which runs on command line under Linux.

NONE of these buggers are multi-platform. I've seen a package called Strip for Palm, and there's a read-only perl library to read the database under Linux. But it's not full-function dual, let alone multi-platform.

I want something I can put on a memory key, and plug into ANYTHING with a usb port, and use on that system. I don't mind that I'll have to store multiple executables on the key. There should be a common encryption engine for all platforms, and probably per-platform UI/storage that invokes the engine.

Does this exist, or am I going to have to find the time to write it?

Re:Password managers

[Ctrl-Z]

Why don't you just put all your passwords in one file and encrypt it? That's what I do with mine. Now, I don't have a memory key to put it on, but how hard would that be?

GnuPG runs on many platforms.

Re:Password managers

[dpilot]

Not bad, just haven't gotten around to it. The pwsafe that I'm using will yank one password out of the list, though that's not too hard, either. Does GPG decrypt to stdout? I'd rather not get interrupted halfway through and leave a cleartext file laying around.

Oh, and PalmOS is not on the list.

OSS vs trust

[TheConfusedOne]

Yeah, this may seem like flame-bait but bear with me.

The idea of a federated single-sign-on system suffers the problem of trust. I'm supposed to set up my system to trust your sign-on system that vouches for your identity and provides me with user information. Well, how do I know how to trust you? What kind of security, identity checks, and validation routines did you implement? Do you have a system for revoking id's? Do you have a system for checking for bogus id's? Etc, etc, etc.

There are two problems with any sign-on system. The first is issuing an id/account/card/whatever to a person and ensuring that it actually matches the person. The second is dealing with the associated data. Who can access what data, who can revoke and edit data?

Looked at in this light you see that the technical part of encryption and tokens and what-not is really just the beginning (or even the end) of the battle and a minor part of it at that.

So the point is that having an OSS solution for federated identity really doesn't gain you all that much.

Re:OSS vs trust

[ian13550]

What you don't seem to realize is that this is purely AUTHENTICATION and not AUTHORIZATION. IMPORTANT: Each party is responsible for maintaining what a user can do on their own site ONLY. This is only a way of verifying identity information across infrastructures. If you revoke the user on your site they can no longer get in.

Also,You do not have to issue ANYTHING new. This works with existing user information (if you want).

However, your point that "I'm supposed to set up my system to trust your sign-on system that vouches for your identity and provides me with user information. Well, how do I know how to trust you? What kind of security, identity checks, and validation routines did you implement? Do you have a system for revoking id's? Do you have a system for checking for bogus id's? Etc, etc, etc." is right on target. There needs to be a verification process between the parties that the processes and procedures are in place to secure the information to an accecptable level -- whatever that may be.

A two banks have completely different requirements than a loose collection of websites.

One time pad

[SgtChaireBourne]

Add one more category, one time pad, at the top and move your bank account and other must-preserve passwords there.

If your bank is not having you use at least a one-off PIN, then sniffing, phishing or other forms of interception can cause great harm. There are disadvantages to a one time pad, but having an individual password intercepted and re-used is not one of them.

You'd think that with remote exploits in MSIE announced publicly every week for 5 years would sharpen banks up. It's not like the problems don't circulate for weeks, months or years before MS finally admits them either.

Re:One time pad

[ArsenneLupin]

You'd think that with remote exploits in MSIE announced publicly every week for 5 years would sharpen banks up.

On the contrary. Many banks require that their customers use Internet Exploder, and flat out refuse all other browsers (using a javascript browsercheck or other equally silly techniques).

Re:One time pad

[SgtChaireBourne]

On the contrary. Many banks require that their customers use Internet Exploder, and flat out refuse all other browsers (using a javascript browsercheck or other equally silly techniques).

That goes against my recent experiences with banks the last 3 years. And that of my friends and relatives. During that time I've only run across one that was stuck on MSIE. Can you give any examples or support for your statement?

kerberos already supports cross domain auth.

[SgtChaireBourne]

Kerberos, both MIT and Heimdal, is already quite well established in higher education.

Kerberos already supports cross domain authentication and has the added advantage that there are packages for all the major linux and BSD distros (including OS X). PAM (pluggable authentication modules) make adding it even easier. Even MS-Windows supports a passable if somewhat broken variant, but it is still possible to work around that.

Re:kerberos already supports cross domain auth.

[forsetti]

Kerberos is good (very good, actually), but does not have quite the same flexibility as SAML based projects, such as Shibboleth. Shib, in addition to providing something like cross-realm auth and federated authZ, provides a layer of privacy, such that the service provider does not necessarily even receive the login ID, but rather just the necessary attributes to grant access (such as, "is this person a student?").

Shib's Identity Provider runs under Tomcat (and probably other J2EE containters), and Service Provider "plugins" exist for Tomcat, Apache, and IIS. Note of course, Shib is (currently?) for Web based applications, where Kerberos is for host applications (at least, until SPNEGO gets better).

Check it out -- Shib is pretty cool.

Re:kerberos already supports cross domain auth.

[deletedaccount]

One of the things I like about shib is the concept of a 'targeted id'. This is a unique id that is different for each service provider that requests it, but is persistent between user sessions.
In essence it means that each service provider can have a persistent id for a user, but will not be able to trace usage between resources. One cautionary note about the shib software: It's a complex install and configure procedure and it's got some nasty dependancies. Other than that it does exactly what it says on the tin.

Maybe a slippery slope...

[Whiteout]

but single signon via public-key/private-key authentication would be very handy. The obvious downsides are less anonymity and phishing. But it's conceptually very easy for everyman, with no username and a single password (ok, it unlocks your private key, but that's the details). And why not start offering it right now. A bank could have you authenticate yourself the 'old-fashioned' way with username/password, then accept your public key over that channel and thereafter allow you to authenticate with your private key.

keychain?

[mrdisco99]

I've got single sign-on for all my websites through my MacOS X Keychain. I imagine there's a similar facility bundled with or made available for Windows. It works great and I only have to trust myself to keep it secure for me.

With tools like that, why is there even a market for this thing?

Re:keychain?

[Knight2K]

I think the market for this is that your OSX Keychain is only on one computer, so if you need to sign on using a friend's computer or a public terminal, you still have to remember all of your passwords.

Using single sign-on, you could go anywhere, sign into the main site with one password, and all of the other sites would know it was you. It's more of a global keyring, for better or worse.

Of course, the OSX keychain may have capabilities I'm not aware of... can you put it on a USB key to take around to other computers?

SXIP - A better open source solution

[pseudorand]

The Denver Post seemed to help Ping hype up its open source roots, but I was at the Digital ID World confrence and the solution that impressed me as both a consumer and site developer was SXIP (pronounced skip). This is a PKI-like solution where any web sit you log on to can be a Home site and any web site you want to access without loging on to can be a Member site. Once I've logged on to the homesite of my choice, member sites can easily get any info about me that I've allowed from my home site with homesite lookup and encryption handled by the SXIP root site. Kind of like MS Passport, but I choose exactly who gets what information and I only have to establish an account with my favorite login site (such as, say, slashdot).

Enter Andre Durand

No, thanks. My GF would not appreciate it I guess.

OBG MONTY PYTHON

[wed128]

"I'm not quite dead yet"
"oh you'll be stone dead in a moment"
"I'm getting better..."

Authentication is the issue

[TheConfusedOne]

That was what I was raising, maybe I phrased it badly, but the issue is authentication.

You have to either trust the other party's authentication process or you have to do it yourself. In a distributed system you have to trust the other party. This means that the technology used to send the authentication information is really a minor issue in the process.

I remember back when we looked at VeriSign to be a certificate authority for our company and they talked about all of their physical security, the signing "ceremony", and all of the personnel checks they went through with their people. This was above and beyond what security was on the box that would actually be the CA host.

If you are looking at a distributed system for e-commerce then you need to address all of those issues as well. Heck, it's more critical because you're dealing with financial transactions and thus financial information needs to be exchanged as well.

So, an OSS "solution" may sound great but it doesn't really address the problem in this case.

A single-sign-on authority is a great idea!

[Rogerborg]

We should have lots of them.

Passport.

I think one of the main reasons Passport failed is that the server side had to pay a pretty big fee to use it. Sure free for the client but the company couldn't be bothered. Not to mention it required the use of Windows based server side technologies.

Private "keys" as real keys

[CoughDropAddict]

IMO, the solution is to make private keys a real physical thing: similar in form factor to a USB key drive. It would store the private key, and have a small CPU that could encrypt/decrypt small messages using that private key. It would not be capable of transmitting the private key itself.

The masses will never go for private keys that live on hard drives, and a good thing too because they would get compromised all the time! But ordinary people could understand the idea that they need to put a key in their computer to buy stuff online, the way they put a key in their car to turn it on.

Re:Private "keys" as real keys

[dustman]

IMO, the solution is to make private keys a real physical thing: similar in form factor to a USB key drive. It would store the private key, and have a small CPU that could encrypt/decrypt small messages using that private key. It would not be capable of transmitting the private key itself.

Yeah, this idea could work pretty well. You could even put a biometric authentication thing on there (thumbprint or whatever) if you wanted to.

I remember a story from a few years back about how IBM had made chips like this. Basically, just simple little encrypt/decrypt chips, where the private key was on the chip and inaccessible, and the chip was specifically engineered such that the private key could not be read "by any means"... (Taking the chip apart would destroy the key etc)

The specifics of this case were that someone *had* managed to extract the private key despite the countermeasures, but the idea is still sound.

In fact, with a standard key revocation database, this would work very well... If you lose your key, you report it and its revoked.

In this case, you would only have to deal with people extracting their keys on purpose, which will not usually be useful. (In how many cases do you *want* someone to be able to impersonate you? I'm not saying it wouldn't happen, but the applications are limited)

Re:Private "keys" as real keys

I actually have an "IBM Smart Card Security Kit" here, AFAIK it authenticates you by having your computer encrypt something with a public key then having the smart card decrypt it and send it back (plain text) to verify that it has the correct private key then it unlocks whatever is proteced by the smart card.

I might be completely off on this one, but I'm pretty sure this is more or less how it does it.

I hope this takes off!

[Blitzenn]

Now here is one piece of open source work that I would really like to see widely adopted and take off. It's the first real piece of open source work that is not a clone of something that solve a real world problem and is going to stop something real important from becoming proprietary, (no there is no adopted solution out there yet that is proprietary in my book).

I am sure that this will raise a lot of hackles in that I suggest that open source work is basically clone software of major labels, so troll mod me. I don't care. But reality is that there has not been a trust forward into a new field with open source work as of yet. This could be the project that makes open source a major player.

Passport is a pain in the ass

I work for a small company doing some web-based training in flash for Microsoft, and they want us to integrate it with Passport. That thing is a pain in the ass! They have a huge book full of rules you have to follow just to be allowed to use it. We ended up outsourcing to a company who specializes in doing passport logins, so we just pop up a form on their servers, which passes the data back to us after they signup or login.

anonymously posted

Simple unique password generation

[nicwolff]

I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that there's no locked file of passwords to lose.

Not "single" sign-on, transitive sign-on

[iabervon]

The point of this is not actually to have a single sign-on everywhere, like Passport tried to do. The point of this is to have a transitive sign-on, where you can sign-on to a starting web site, and have that web site provide the information you gave it to other sites of your choice. If you're a slashdot user, you could post to groklaw as a slashdot user when you follow a link from slashdot, whether or not you have a groklaw account, and groklaw could verify that you are the slashdot user you claim to be.

Their example has a person having a session with an airline company (not Microsoft or Sun or some identity company) and using that session to make reservations at other sites for the same trip.

pointless

[t_allardyce]

Why would you even need a single sign-on? most browsers have password managers (for people who are happy to use them) and anyone who is too paranoid to store things on their own machine probably isnt going to be to happy trusting a 3rd party. Microsoft Passport is _not_ going to catch on unless companies can have it for free and on their platform. If systems like Worldpay started using it (they would have to trust it) then maybe it would work out, but most stores dont ask to store your card number and most people dont want to. Plus no single-sign-on system will ever be free of the two major problems: 1) don't put all your eggs in one basket and 2) just like credit cards there will always be more than one passport system and not all stores will take them all so you will have to sign up with most of them.

Single Sign On has been around for years

[Evets]

In the States we've had single sign on for years. We call it our "Social Security Number". Yes, there is legislation that says nobody can ask for it, but it's used for student id's, tax returns, credit information, etc. It's not crackable because there is no password... unless you count the number of companies that ask you for the last four digits of your social security number before they will talk to you.

We also use "Mother's Maiden Name" as a security mechanism for super-high security things like bank accounts.

MSIE-only banks

[BlueUnderwear]

Can you give any examples or support for your statement?

Sure, here is one example: Banque Générale du Luxembourg. Click on the Web Banking link, chose a language, and weep :-(

If you read French (or German), click FR or DE, and look at their slogan (top left of page), and snicker ;-) (The English version is less funny).

Actually, most banks in Luxembourg are MSIE only (or do need some trickery and/or alternative login pages to get access).

Luxembourg banks

[SgtChaireBourne]

Well since they're running what looks like an IBM server on what looks like Solaris, I'd write this off as an unintentional bug. What did their support staff say about driving customers away? Is it an oversight? A prioritization of ideology before profit?

If they lack the technical expertise, perhaps their vendor can help them as a partner in the offeneren welt and actually hook them up with an "opener" web site.