Slashdot Mirror

← Back to Stories (view on slashdot.org)

E-commerce Single Sign-On Not Dead Yet

Posted by timothy on from the he'll-have-to-do-a-lot-of-convincing dept.

FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."

12 of 200 comments (clear)

  1. single logon means.. by gl4ss · · Score: 4, Insightful

    ..single login to phish.

    'nuff said(that's enough, not snuff).

    --
    world was created 5 seconds before this post as it is.
    1. Re:single logon means.. by IO+ERROR · · Score: 5, Insightful
      single login to phish.

      And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.

      --
      How am I supposed to fit a pithy, relevant quote into 120 characters?
    2. Re:single logon means.. by mdfst13 · · Score: 4, Insightful

      "Because you don't have the choice to decide yourself wether a given login is important enough to justify a different password."

      Why not?

      Seriously, why not. It would be easy enough to add the ability to specify an extra password for certain accounts. If that's not in the various solutions that are currently available, that's a weakness in the *solutions*, not the concept. I couldn't find any information explaining if SAML or Ping's implementation included this capability or not. If they do not, then it should be added.

      Frankly, for most sites with passwords, I don't really need a password at all. For example, with /. I only need it to verify that my computer (and account) is doing the posting. Same thing for recommendations on Amazon (although more authentication is needed for purchases). That's why I currently allow those sites (and others) to store my login info in cookies.

  2. What's wrong with... by lawpoop · · Score: 5, Interesting
    PGP for online transactions? Heck, even stupid stuff like bulletin boards and slashdot. I'm sick of having to make up new user ids and secure passwords for every freakin' site on the web. Why not just let everyone post PGP signed messages?

    Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
    1. Re:What's wrong with... by otisaardvark · · Score: 4, Insightful
      These are just observations, and some of them are very overcomeable and possibly stupid.

      Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

      Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

      Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:

      Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

      Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

      Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.

      There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.

  3. About time too by samael · · Score: 4, Insightful

    There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.

    --
    My Journal
    1. Re:About time too by oexeo · · Score: 5, Funny

      > There's no way I can keep track of the 200-odd different passwords I have

      Don't worry, I keep track of all your passwords for you

  4. .NET Passport helps you sell out your children by Anonymous Coward · · Score: 5, Interesting

    "Kids Passport helps participating sites and services obtain parental consent to collect, use, or disclose a child's personal information. You or your child can register his or her .NET Passport account."

    As opposed to "...will ensure children's personal information is kept confidential...".

  5. sourceid.org by Ized · · Score: 5, Informative

    Incase somebody is wondering where the open-source implementation of Ping ID is hiding, it's here:
    Sourceid.org

  6. Funniest part of the article by LeninZhiv · · Score: 4, Funny

    Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

    Greatest unintentional humour of the year!

  7. Here's how it actually works by bjpirt · · Score: 5, Informative

    Why is there no link to the actual ping identity website in the submission?

  8. Ho hum.... by TractorBarry · · Score: 4, Insightful

    Single sign on schemes.

    Single operating system monoculture.

    Single biometric identity card/device.

    etc. etc. et-bloody-c.

    All are worthless. Why ? because a single breach and the entire wall falls down.

    And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

    I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.

    Personally I'll stick with my current myriad user name, password combinations thanks.

    --
    Sky subscribers are morons. They pay to be advertised at !