Slashdot Mirror

← Back to Stories (view on slashdot.org)

E-commerce Single Sign-On Not Dead Yet

Posted by timothy on from the he'll-have-to-do-a-lot-of-convincing dept.

FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."

6 of 200 comments (clear)

  1. single logon means.. by gl4ss · · Score: 4, Insightful

    ..single login to phish.

    'nuff said(that's enough, not snuff).

    --
    world was created 5 seconds before this post as it is.
    1. Re:single logon means.. by IO+ERROR · · Score: 5, Insightful
      single login to phish.

      And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.

      --
      How am I supposed to fit a pithy, relevant quote into 120 characters?
    2. Re:single logon means.. by mdfst13 · · Score: 4, Insightful

      "Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password."

      Why not?

      Seriously, why not. It would be easy enough to add the ability to specify an extra password for certain accounts. If that's not in the various solutions that are currently available, that's a weakness in the *solutions*, not the concept. I couldn't find any information explaining if SAML or Ping's implementation included this capability or not. If they do not, then it should be added.

      Frankly, for most sites with passwords, I don't really need a password at all. For example, with /. I only need it to verify that my computer (and account) is doing the posting. Same thing for recommendations on Amazon (although more authentication is needed for purchases). That's why I currently allow those sites (and others) to store my login info in cookies.

  2. About time too by samael · · Score: 4, Insightful

    There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.

    --
    My Journal
  3. Re:What's wrong with... by otisaardvark · · Score: 4, Insightful
    These are just observations, and some of them are very overcomeable and possibly stupid.

    Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

    Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

    Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:

    Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

    Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

    Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.

    There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.

  4. Ho hum.... by TractorBarry · · Score: 4, Insightful

    Single sign on schemes.

    Single operating system monoculture.

    Single biometric identity card/device.

    etc. etc. et-bloody-c.

    All are worthless. Why ? because a single breach and the entire wall falls down.

    And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

    I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.

    Personally I'll stick with my current myriad user name, password combinations thanks.

    --
    Sky subscribers are morons. They pay to be advertised at !