Slashdot Mirror
E-commerce Single Sign-On Not Dead Yet
FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."
..single login to phish.
'nuff said(that's enough, not snuff).
world was created 5 seconds before this post as it is.
Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?
Computers are useless. They can only give you answers.
-- Pablo Picasso
Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny
Nothing to see here
There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.
My Journal
"Kids Passport helps participating sites and services obtain parental consent to collect, use, or disclose a child's personal information. You or your child can register his or her .NET Passport account."
As opposed to "...will ensure children's personal information is kept confidential...".
High-stakes venture
Funding quest a gamble in new Internet economy
By Ross Wehner
Denver Post Staff Writer
Sunday, November 28, 2004 -
Andre Durand adjusts his black cowboy hat and eyes a roomful of tech-industry players milling around blackjack tables at Broomfield's Omni Interlocken Resort.
It's casino night at Digital ID World, a high-level Internet conference that costs $1,795 per person. Durand, 36, is a founder of the conference and has a lot riding on it this year.
He, like many other Internet entrepreneurs, is fighting to come back four years after the tech economy meltdown.
Everyone here knows Durand as a whiz kid who started two multi-million-dollar companies before he was 32. But the money came easier back in the 1990s.
Durand's firm, Ping Identity, is on the verge of launching software that could make Internet commerce easier and more secure. Companies such as Microsoft, IBM and Hewlett-Packard are chasing the same solution.
But he needs a lot of money just to keep swimming in that shark tank - at least $8 million in venture capital. He needs the help of the people in this room.
Nearby is Thor Hauge, an investor from Nokia Innovent, the venture capital arm of Nokia, which invested $250,000 in Ping early on.
Durand then spies Bob Blakely, IBM's point man for computer security. He's in charge of protecting some of the largest networks in the world. One deal with IBM could transform Ping from a tiny startup into a recognized industry leader.
It's time to get this party rolling, Durand thinks.
He leaves his gin and tonic at the bar and heads toward an electronic bull, set up for the event. Real bull riders need an eight-second ride. Durand mounts the bull and hangs on for nine glorious seconds, arms flying above his head, before flying onto the mat. When he springs to his feet, people applaud.
Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.
Durand slaps backs at every table and offers the N-Gage to whoever stays on the bull the longest. Within 10 minutes, there is a steady stream of people hooting and hollering and getting tossed into the air.
Even Blakely rides the bull. But Craig Wirths, an old friend of Durand's, wins the N-Gage with a 33-second ride.
Andre Durand is standing in the casino of the new Internet economy, where having a great idea isn't good enough anymore. To succeed now, Durand must also become a true chief executive, someone who can execute a business plan and devise the DNA of a company that will last.
Like Microsoft, for example.
The next day, Durand will help unveil Ping's first software product at Digital ID World. Then he and a Ping board member will spend two weeks in California's Silicon Valley meeting with a dozen venture capital firms who chew and spit out guys like Durand every day.
A lot is riding on the next few weeks.
Payday for first company
A communications firm that Durand began when he was 25 was acquired for $10 million in 1998.
Durand has worked insane hours for most of his adult life. He launched Durand Communications in his hometown of Santa Barbara, Calif., in 1993 at the age of 25. He worked from dawn to nearly midnight seven days a week. The company sold software to people who posted online bulletin boards, before the rise of the Internet
His drive paid off in 1998 when Durand sold the company to Denver-based Webb Interactive Services for $10 million in a stock swap. After Durand paid off his angel investors, he was left with more than $1 million in Webb Interactive stock.
Part of the deal was that Durand keep working with Webb. He drove from California to Denver with a bike and all of his possessions, which fit neatly in three boxes.
The first person he met in Denver was his future wife, Kim Gunning, who worked at We
Why do you have so many different passwords? Just come up with a few sufficienly complex ones. I've got 4 different passwords that I use, each having their own "security level". Slashdot is a level 1, since I don't care about someone stealing my account here, whereas my account for World of Warcraft is a level 4 :-P
Wheel in the sky keeps on turnin'.
Incase somebody is wondering where the open-source implementation of Ping ID is hiding, it's here:
Sourceid.org
Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.
Greatest unintentional humour of the year!
Why is there no link to the actual ping identity website in the submission?
Hack once, use everywhere.
Seriously - all the sites that I would trust a single-sign-on thingy already have that. I use the same password at all those less important places. (I'll probably get bashed to hell for this, but I'm sure most of you do the same)
Underholdning.info
It was fairly uncrackable password generation method, until you told *everybody!*
Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.
I take ithe authour has never spoken to any geek besides his 12 year old nephew who 'knows computers'
There is a sucessful SSO mechanism used by the education and health sectors in the UK. It has around 3 million users and over 250 target resources. It's called Athens and has been around for years. Eduserv Athens website
Seriously, when you're dealing with security you need to give your service a good title, would you really trust a company called "Ping" to safe-guard your security? OK, you might, but I think a lot of the general public would not.
Frankly I -want- to think before I click "purchase". I think the real benefactors of this technology aren't the consumers but stores that can rush you in and out the door as fast as possible.
Luck favors the prepared, darling.
Reminds me off:
My root password is the name of my pet.
Of course my macaws name is Q!7h}i2/@1u4 and changes every 30 days.
Single sign on schemes.
Single operating system monoculture.
Single biometric identity card/device.
etc. etc. et-bloody-c.
All are worthless. Why ? because a single breach and the entire wall falls down.
And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.
I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.
Personally I'll stick with my current myriad user name, password combinations thanks.
Sky subscribers are morons. They pay to be advertised at !
Lasso is another free (GPL) implementation of the liberty specs. It is still in heavy development but compatibility against SourceID (PingID solution) has been achieved.
.NET actually), integration in existing website is easy (well, it will be much easier when the documentation is completed).
The great thing in Lasso is the language bindings; PHP, Python, Java, C# (anything
E-commerce Single Sign-On exists and it's name is PayPal.
You can shop in thousands of stores at eBay.
Even if you are a Slashdot Geek you can use your PayPal acount at Source Forge.
Google search Paypal Donate returns a lot of blogs, open source projects and other webs that belive that Paypal it's the Single Sign-On E-commerce solution.
85 % growth and 437.60M revenue says something about it.
My city: Barcelona.
"Access Denied."
Omelet Du Fromage!
"Access Denied."
Omelet Du Fromage!!!
"Access Denied: Self destruct mechanism activated...5"
GRRRRRRR!!!! OMELET DU FROMAGE!!
"...4"
OMELET DU FROMAGE!!
"...3"
OMELET DU FROMAGE!! OMELETE DU FROMANGE !!
"...2"
OMELET DU FROMAGE!! OMELETE DU FROMANGE !! OMELETE DU FROMANGE !!
"...1"
KABOOOOOM!!!
--
Registered .sig quotient : 1337
Our chief SSO is Athens... ...no... *Amongst* our SSOs.... Amongst our Single Sign-On solutions...are such elements as...
Athens and MS Passport...MS Passport and Athens....
Our two SSOs are MS Passport and Athens...and Paypal....
Our *three* SSOs are MS Passport, Athens, and Paypal...
and an almost fanatical devotion to Bill Gates....
Our *four*
Security of the database is. Availability of the source helps to make sure that that has no flaws, but that's useless if an insider rips off a portion of the db to sell to the highest bidder.
Even ignoring that, they at least have access to statistical and marketing data on who visits what sites when, potentially even how much they spend; that could be quite valuable to the right people.
It's official. Most of you are morons.
And tried it, and tried it. Everyone and their cousin set up some "adult verification" affiliate network, to the point where there's so damned many of them, with such scant content you may as well not have any consolidation of logins.
How is this any different? Why can any of these parties succeed where pornographers have failed? IS MICROSOFT BETTER THAN SMUT PEDDLERS?
Not to bang on these guys, but for an open, non-commercial, distributed identity system, with working code, see Identity Commons.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
In "the real world" I have several different ID numbers:
SSN
Bank account number (more than one)
Credit card number (more than one)
Employee ID
Student ID
Drivers license number
Supermarket loyaty discount card number
Blockbuster/Movie Gallery number
Library Card number
Auto/Home/Medical insurance ID
Voter Registration ID
I think I'm better off having those as separate numbers, and just keeping the cards around so I don't have to remember them. Why should online be any different? Can you imagine a world where all those numbers are the same, and are maybe our telephone number for instance (making everyting easy to remember). Scary.
The Denver Post seemed to help Ping hype up its open source roots, but I was at the Digital ID World confrence and the solution that impressed me as both a consumer and site developer was SXIP (pronounced skip). This is a PKI-like solution where any web sit you log on to can be a Home site and any web site you want to access without loging on to can be a Member site. Once I've logged on to the homesite of my choice, member sites can easily get any info about me that I've allowed from my home site with homesite lookup and encryption handled by the SXIP root site. Kind of like MS Passport, but I choose exactly who gets what information and I only have to establish an account with my favorite login site (such as, say, slashdot).
IMO, the solution is to make private keys a real physical thing: similar in form factor to a USB key drive. It would store the private key, and have a small CPU that could encrypt/decrypt small messages using that private key. It would not be capable of transmitting the private key itself.
The masses will never go for private keys that live on hard drives, and a good thing too because they would get compromised all the time! But ordinary people could understand the idea that they need to put a key in their computer to buy stuff online, the way they put a key in their car to turn it on.
I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that there's no locked file of passwords to lose.