E-commerce Single Sign-On Not Dead Yet

FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."

single logon means..

[gl4ss]

..single login to phish.

'nuff said(that's enough, not snuff).

Re:single logon means..

[IO+ERROR]

single login to phish.

And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.

Re:single logon means..

[mdfst13]

"Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password."

Why not?

Seriously, why not. It would be easy enough to add the ability to specify an extra password for certain accounts. If that's not in the various solutions that are currently available, that's a weakness in the *solutions*, not the concept. I couldn't find any information explaining if SAML or Ping's implementation included this capability or not. If they do not, then it should be added.

Frankly, for most sites with passwords, I don't really need a password at all. For example, with /. I only need it to verify that my computer (and account) is doing the posting. Same thing for recommendations on Amazon (although more authentication is needed for purchases). That's why I currently allow those sites (and others) to store my login info in cookies.

Re:single logon means..

Which do you think is more secure:

A piece of paper sitting on a desk with plain text password written on it.

Or on the same desk a USB memory key with an encrypted database of passwords.

Same physical security - but the USB memory key has the added advantage of encryption.

Re:single logon means..

If you're talking about putting the passwords on a networked device vs writing it/printing it on paper for security then the latter is more secure.

The risks from the latter are known, can be evaluated and can be stopped. They pretty much boil down to stopping anyone else seeing the paper before you destroy it and trusting your staff. The risks from the former are unknown, how many holes are there in your network & software.

I'm not sure what you mean by "protected database". They can't use one-way encryption on the passwords because they wouldn't be able to get them back out of the database. Even with key encryption you're then back to how safe the physical storage of the keys is which is the same issue as writing down the password ...only now you've added a lot more software (hence risk) into the equation.

Re:single logon means..

[Bishop]

The USB memory stick also has the disadvantage of encryption: You need a password to access the passwords. There is also the risk of file corruption. The purpose of the passwords on paper or in a simple text file is for worst case recovery (admin dies, or immeditate access is required). Paper is often best as computer media is more prone to corruption. The physical security of the passwords is paramount. Total security is an impossible goal, instead one must manage the risks. (Manageing risk is a cliche, but it is true.) Adding encryption increases some risks. Improveing physical security usually does not increase the risk, but may be prohibitively expensive.

My glib example of leaving the passwords on a desk as sufficient security is a rare case. For most organizations a safe in the server room is probably sufficient. If an attacker has access to the safe, then the attacker could just as easily install keyloggers on all the servers.

About time too

[samael]

There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.

Re:About time too

[gilesjuk]

Some OSes/browsers come with a tool to keep hold on them. I'd sooner have that info on my computer than have a single login to all manner of sites.

Re:What's wrong with...

[onion2k]

Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

Yes. It'd be a pain in the arse for web developers.

All these single sign-in systems are made (or broken) by the web developers who implement them in the sites they build. If theres an easy way to integrate the technology into your code quickly and cheaply then people will put it in. If it takes a week of reading docs and another week of coding then its never going to get used by the people who'll be rolling it out onto the net.

Re:What's wrong with...

[otisaardvark]

These are just observations, and some of them are very overcomeable and possibly stupid.

Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:

Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.

There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.

Bad Name

[oexeo]

Seriously, when you're dealing with security you need to give your service a good title, would you really trust a company called "Ping" to safe-guard your security? OK, you might, but I think a lot of the general public would not.

Ho hum....

[TractorBarry]

Single sign on schemes.

Single operating system monoculture.

Single biometric identity card/device.

etc. etc. et-bloody-c.

All are worthless. Why ? because a single breach and the entire wall falls down.

And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.

Personally I'll stick with my current myriad user name, password combinations thanks.

E-commerce Single Sign-On: Paypal

[Uukrul]

E-commerce Single Sign-On exists and it's name is PayPal.
You can shop in thousands of stores at eBay.
Even if you are a Slashdot Geek you can use your PayPal acount at Source Forge.
Google search Paypal Donate returns a lot of blogs, open source projects and other webs that belive that Paypal it's the Single Sign-On E-commerce solution.

85 % growth and 437.60M revenue says something about it.

Re:Why?

[HawkingMattress]

Well it's a basic rule of security: never use the same password for two different things. If you wow password is compromised for whatever reason, maybe a determined person could log onto your machine with it ? or make bank transactions ? Sure that would require knowing your identity, or ip, but just posting to a web board or chatting on irc with your wow nick could reveal your ip for instance.

But i agree with you for things where security is not that important (I use the same password for my slashdot account, and hundreds of other "not so important" accounts).

Availability of the source isn't the issue

[Tim+C]

Security of the database is. Availability of the source helps to make sure that that has no flaws, but that's useless if an insider rips off a portion of the db to sell to the highest bidder.

Even ignoring that, they at least have access to statistical and marketing data on who visits what sites when, potentially even how much they spend; that could be quite valuable to the right people.

Private "keys" as real keys

[CoughDropAddict]

IMO, the solution is to make private keys a real physical thing: similar in form factor to a USB key drive. It would store the private key, and have a small CPU that could encrypt/decrypt small messages using that private key. It would not be capable of transmitting the private key itself.

The masses will never go for private keys that live on hard drives, and a good thing too because they would get compromised all the time! But ordinary people could understand the idea that they need to put a key in their computer to buy stuff online, the way they put a key in their car to turn it on.

Re:What's wrong with...

I think that I can answer some of your concerns:

Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

The distinction is extremely important, because having a local mechanism means that the key owner is autonomously in control of its security, rather than being architecturally obliged to defer security to some third party. If you want to lock the key inside some other security mechanism, such as a biometric token for example, that decision is transparent to the architecture.

Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

Not all applications require highly assured identity. You've just given a good example of where the cost/benefit tradeoff goes one way. There are many examples, such as banking or voting, where the tradeoff would go the other way.

It should be noted that secure identity and anonymity are not mutually exclusive, by the way. You simply need to establish an authority whose policy is to issue anonymous identities. Applications can then decide whether to accept that particular authority.

Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations).

Scalability and deployment are indeed limiting factors, though less so as computation and network performance continues to improve exponentially. Also, the retooling of applications is far from trivial. In practice, it's the main limiting factor at the moment, and it's starting to get a lot of attention.

But no identity infrastructure needs to bebe built globally when most of the value is relatively local. My own identity requirements, for example, span a limited geography and a limited range of interests. People are not the only sort of identity principals that will eventually emerge, but they are a useful place to start.

All these are reasons to favor a federated identity model, because it lets us begin with small and useful implementations and scale up as required. Yes, in a sense we're avoiding the problem, and I think we need to acknowledge that and plan for it. But there are more immediate problems which should keep us busy enough for now.

Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

There is no requirement for any individual to be limited to a single identity. Some identity models recognize this explicitly. Likewise, there is nothing to prevent you reserving an identity for some specific domain, such as legal use.

Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

This is why cryptographic systems such as X.509 and PGP offer a selection of algorithms, and in general why modularity and peer review are especially important in these systems. But these comments also hold for much of our technological infrastructure. The DNS has a small number of root servers, for example. All these vulnerabilities merit attention, of course, but again we are usually willing to submit them to some kind of cost/benefit analysis.

Training. In order to be useful a lot of people have to use PGP. The conc