Slashdot Mirror

← Back to Stories (view on slashdot.org)

E-commerce Single Sign-On Not Dead Yet

Posted by timothy on from the he'll-have-to-do-a-lot-of-convincing dept.

FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."

25 of 200 comments (clear)

  1. single logon means.. by gl4ss · · Score: 4, Insightful

    ..single login to phish.

    'nuff said(that's enough, not snuff).

    --
    world was created 5 seconds before this post as it is.
    1. Re:single logon means.. by IO+ERROR · · Score: 5, Insightful
      single login to phish.

      And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.

      --
      How am I supposed to fit a pithy, relevant quote into 120 characters?
    2. Re:single logon means.. by mdfst13 · · Score: 4, Insightful

      "Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password."

      Why not?

      Seriously, why not. It would be easy enough to add the ability to specify an extra password for certain accounts. If that's not in the various solutions that are currently available, that's a weakness in the *solutions*, not the concept. I couldn't find any information explaining if SAML or Ping's implementation included this capability or not. If they do not, then it should be added.

      Frankly, for most sites with passwords, I don't really need a password at all. For example, with /. I only need it to verify that my computer (and account) is doing the posting. Same thing for recommendations on Amazon (although more authentication is needed for purchases). That's why I currently allow those sites (and others) to store my login info in cookies.

    3. Re:single logon means.. by ArsenneLupin · · Score: 3, Interesting
      And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up,

      Solution: classes of passwords.

      • The stuff that you really care about (your bank account, your login at your computer at home, ...) all gets different passwords
      • The stuff that you care a little bit less about (bug reporting sites for various software, Slashdot, wikipedia, etc.) share a password. Note: when vandalizing wikipedia, you should use different passwords for your different trolling accounts, because they can (and do...) correlate various trolls by their passwords. So you just use login concatenated with your_common_password.
      • The stuff that you care even less about (NYT, other online papers, ...) share another password
      • That stuff that you care still less about (password at work, ...) yet another one
      Stuff of same "security level" shares same password, so things stay manageable, while still keeping reasonable security.
    4. Re:single logon means.. by Anonymous Coward · · Score: 3, Insightful

      If you're talking about putting the passwords on a networked device vs writing it/printing it on paper for security then the latter is more secure.

      The risks from the latter are known, can be evaluated and can be stopped. They pretty much boil down to stopping anyone else seeing the paper before you destroy it and trusting your staff. The risks from the former are unknown, how many holes are there in your network & software.

      I'm not sure what you mean by "protected database". They can't use one-way encryption on the passwords because they wouldn't be able to get them back out of the database. Even with key encryption you're then back to how safe the physical storage of the keys is which is the same issue as writing down the password ...only now you've added a lot more software (hence risk) into the equation.

  2. What's wrong with... by lawpoop · · Score: 5, Interesting
    PGP for online transactions? Heck, even stupid stuff like bulletin boards and slashdot. I'm sick of having to make up new user ids and secure passwords for every freakin' site on the web. Why not just let everyone post PGP signed messages?

    Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
    1. Re:What's wrong with... by onion2k · · Score: 3, Insightful

      Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

      Yes. It'd be a pain in the arse for web developers.

      All these single sign-in systems are made (or broken) by the web developers who implement them in the sites they build. If theres an easy way to integrate the technology into your code quickly and cheaply then people will put it in. If it takes a week of reading docs and another week of coding then its never going to get used by the people who'll be rolling it out onto the net.

      --
      http://twitter.com/onion2k
    2. Re:What's wrong with... by otisaardvark · · Score: 4, Insightful
      These are just observations, and some of them are very overcomeable and possibly stupid.

      Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

      Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

      Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:

      Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

      Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

      Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.

      There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.

  3. About time too by samael · · Score: 4, Insightful

    There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.

    --
    My Journal
    1. Re:About time too by oexeo · · Score: 5, Funny

      > There's no way I can keep track of the 200-odd different passwords I have

      Don't worry, I keep track of all your passwords for you

  4. .NET Passport helps you sell out your children by Anonymous Coward · · Score: 5, Interesting

    "Kids Passport helps participating sites and services obtain parental consent to collect, use, or disclose a child's personal information. You or your child can register his or her .NET Passport account."

    As opposed to "...will ensure children's personal information is kept confidential...".

  5. Why? by JNighthawk · · Score: 3, Informative

    Why do you have so many different passwords? Just come up with a few sufficienly complex ones. I've got 4 different passwords that I use, each having their own "security level". Slashdot is a level 1, since I don't care about someone stealing my account here, whereas my account for World of Warcraft is a level 4 :-P

    --
    Wheel in the sky keeps on turnin'.
  6. sourceid.org by Ized · · Score: 5, Informative

    Incase somebody is wondering where the open-source implementation of Ping ID is hiding, it's here:
    Sourceid.org

  7. Funniest part of the article by LeninZhiv · · Score: 4, Funny

    Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

    Greatest unintentional humour of the year!

  8. Here's how it actually works by bjpirt · · Score: 5, Informative

    Why is there no link to the actual ping identity website in the submission?

  9. A crackers dream by Underholdning · · Score: 3, Interesting

    Hack once, use everywhere.
    Seriously - all the sites that I would trust a single-sign-on thingy already have that. I use the same password at all those less important places. (I'll probably get bashed to hell for this, but I'm sure most of you do the same)

    --
    Underholdning.info
  10. The article just lost any credibility it had by Anonymous Coward · · Score: 3, Funny

    Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

    I take ithe authour has never spoken to any geek besides his 12 year old nephew who 'knows computers'

  11. SSO in UK by deletedaccount · · Score: 3, Informative

    There is a sucessful SSO mechanism used by the education and health sectors in the UK. It has around 3 million users and over 250 target resources. It's called Athens and has been around for years. Eduserv Athens website

  12. Ho hum.... by TractorBarry · · Score: 4, Insightful

    Single sign on schemes.

    Single operating system monoculture.

    Single biometric identity card/device.

    etc. etc. et-bloody-c.

    All are worthless. Why ? because a single breach and the entire wall falls down.

    And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

    I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.

    Personally I'll stick with my current myriad user name, password combinations thanks.

    --
    Sky subscribers are morons. They pay to be advertised at !
  13. Another free Liberty implementation by Dr+Schizzo · · Score: 3, Interesting

    Lasso is another free (GPL) implementation of the liberty specs. It is still in heavy development but compatibility against SourceID (PingID solution) has been achieved.

    The great thing in Lasso is the language bindings; PHP, Python, Java, C# (anything .NET actually), integration in existing website is easy (well, it will be much easier when the documentation is completed).

  14. E-commerce Single Sign-On: Paypal by Uukrul · · Score: 3, Insightful

    E-commerce Single Sign-On exists and it's name is PayPal.
    You can shop in thousands of stores at eBay.
    Even if you are a Slashdot Geek you can use your PayPal acount at Source Forge.
    Google search Paypal Donate returns a lot of blogs, open source projects and other webs that belive that Paypal it's the Single Sign-On E-commerce solution.

    85 % growth and 437.60M revenue says something about it.

    --
    My city: Barcelona.
  15. Omelet Du Fromage by Invalid+Character · · Score: 3, Funny
    Omelet Du Fromage.
    "Access Denied."
    Omelet Du Fromage!
    "Access Denied."
    Omelet Du Fromage!!!
    "Access Denied: Self destruct mechanism activated...5"
    GRRRRRRR!!!! OMELET DU FROMAGE!!
    "...4"
    OMELET DU FROMAGE!!
    "...3"
    OMELET DU FROMAGE!! OMELETE DU FROMANGE !!
    "...2"
    OMELET DU FROMAGE!! OMELETE DU FROMANGE !! OMELETE DU FROMANGE !!
    "...1"
    KABOOOOOM!!!

    //Dunno if any of you ever remember/watched dexter's lab?

    --

    --

    Registered .sig quotient : 1337

  16. Porn tried this... by AndyChrist · · Score: 3, Funny

    And tried it, and tried it. Everyone and their cousin set up some "adult verification" affiliate network, to the point where there's so damned many of them, with such scant content you may as well not have any consolidation of logins.

    How is this any different? Why can any of these parties succeed where pornographers have failed? IS MICROSOFT BETTER THAN SMUT PEDDLERS?

  17. Identity Commons by The+Pim · · Score: 3, Interesting

    Not to bang on these guys, but for an open, non-commercial, distributed identity system, with working code, see Identity Commons.

    --

    The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
  18. Why do we need a single sign on anyway? by techstar25 · · Score: 3, Interesting

    In "the real world" I have several different ID numbers:
    SSN
    Bank account number (more than one)
    Credit card number (more than one)
    Employee ID
    Student ID
    Drivers license number
    Supermarket loyaty discount card number
    Blockbuster/Movie Gallery number
    Library Card number
    Auto/Home/Medical insurance ID
    Voter Registration ID
    I think I'm better off having those as separate numbers, and just keeping the cards around so I don't have to remember them. Why should online be any different? Can you imagine a world where all those numbers are the same, and are maybe our telephone number for instance (making everyting easy to remember). Scary.