Slashdot Mirror
Will Facebook Become the Net's SSO?
lordDallan writes "Simson Garfinkel at MIT Technology Review muses on the idea of your Facebook account becoming an 'Internet Driver's License', ruminating on the idea of an individual's Facebook login becoming their single sign on for the web. I say NO THANKS!!"
(Satire)
I think his name might manage to infringe copyright on the Simpsons and Simon&Garfunkel at the same time.
(Satire)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
My single-site login would be the sound of silence, as I have no Facebook account.
...but I kind of do now.
If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven:
1: Ability to have two factor authentication. OpenID isn't perfect, but one can use a VASCO token with it. The cream of the crop would be SecurID tokens. Of course, using SMS or apps on Android/iOS/BlackberryOS/etc. would be useful too.
2: If a site asks for authentication via FB, a way to ensure that the login page is genuine. PayPal is good at this. I worry about people getting spoofed by a SSL page with a FB login that isn't really from FB proper.
3: Better password recovery in case tokens get lost/stolen. At the minimum, better questions than "what is your dog's name?" Of course, the answers to these are stored as mentioned in #4 here.
4: Solid password storage. Crypto 101 here: You never store a password. Ideally, you never store a result value. What you store is some known text encrypted with the password hash (hashed a number of times to slow down brute forcing). TrueCrypt's password mechanism is the best out there.
5: A third party vetting this security mechanism. This doesn't need to be FIPS compliant (it should be though), but at least have some validation from an independent source that the authentication is done right, the data center is secure, etc.
6: SSL with all contact throughout the authentication process. This is a basic thing, but for performance reasons, sites don't like using SSL unless forced to.
7: Ideally, posting the SSL keys on some other source, so one can tell if a CA is spoofing the cert or not.
8: It's corny, but consider a unique login picture per user that is used at some sites, Yahoo being the most widely used. This way, when you enter your username, if you don't get the picture, you likely got phished.
9: Store passwords of unlimited length. I've seen too many sites which ignore any characters after the eighth one.
10: Have the ability to turn off third party logins either temporarily or permanently. For example, if one is going on vacation with no Internet connections, the ability to disable SSO logins until they come back is a solid security measure.
Getting tired of facebook and the attention whores who live there. Now they want it to be an SSO. Hey let's put all our eggs into a single basket, make everything depend on this single site that we don't actually control that can delete our accounts or pull its content anytime they want. Oooh ooh, and you surrender all control of anything you upload to it as a bonus which you'd know if you actually read its ToS/privacy policies! What could possibly go wrong if we used this as our SSO? Not a damn thing that's what. Proceed. Carry on. When it blows up in your face or an outage proves to you why over-reliance on a single site is a Bad Idea(tm) you'll understand why the rest of us didn't want to.
There's nothing novel or technically interesting about Facebook. It is not the be-all and end-all of useful tools. It's a way to build a vanity page for people who are too lazy to learn HTML. The appeal to lazy stupid people who hate learning something new is the only reason it became known to the mainstream popular media. That's all it is and ever was. End of fascination. Can we stop trying to find uses for it that have nothing whatsoever to do with its intended purpose? I mean hammers make wonderful paperweights but they're a lot more useful for driving nails.
Hehe, and we will look fondly back on the days when we thought having an embarrassing DMV picture on your driver's license was a problem.
I don't know if we could honestly implement this in any serious way. I know that 90% of what I post to Facebook is little more than crap, lies, and flamebait to prank my friends on the internet. There's nothing like watching one of your good buddies get all worked up over a Youtube video that doesn't really mean anything. Most of my FB contacts are aware of the nature of my profile, and, therefore, take my senseless BS tongue in cheek so it works out okay. If that profile starts being used as some sort of license (to do what exactly, access internet content?) then that license is going to be issued to a person that is fundamentally different in all dealings, social or otherwise, than the person that I am face to face, or, hell for that matter, different than even my Slashdot user account.
One of my coworkers likes to say that the thing people tend to forget is that the internet isn't real. I would say that goes doubly so for user made pages like Facebook, where you can post whatever you want after a healthy dose of Photoshop, trolled Wikipedia references, and sketchy video editing techniques.
Motorcycles, Robots, Space Gossip and More!
If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven
So we can pretty much assume that people will sign up for this by the million...
Microsoft issued me a Passport in about 1995.
It gets me into everything...that Microsoft controls that links up with it. Which is to say, a lot of stuff I haven't logged into since about 1995.
Web 1.0 didn't sell much of anything; it was OUR web. Web 2.0 is when the corporations took over.
Free Martian Whores!
"...whether the Internet needs an "identity layer"—a uniform protocol for authenticating users' identities..."
Supplied by a top-5 candidate for privacy destruction? So we've had big computing companies battling it out to be the Web Gatekeeper, and they want to go "C-Other-Give it to Facebook" ?!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I am posting anonymously because he knows me and I know him
Simson is brilliant and understands technology well, but he is one of those people for whom you "have to hold the bus" as another article puts it.
He tends to get too excited about technology and he misses many of the human factor issues.
For example here he gets all excited about using Facebook as a form of identification, but then he points out that Facebook is very quick to revoke your account. What good is identification if it can be revoked? If it really is "identification" then everyone needs to have it. Hey Simpson, did you forget about that?
The entire user-base of the Internet actually includes a significant number of people with clue. They are not going to go for this. So, a SSO for the clueless? Maybe, but nothing approaching the "driver's license" bar for credibility.
HELL NO
NO.
No, no, no, no, no, NOOOOOOO NO.
NO!!!!
I'd argue against this, but it's just such a giant pile of fail I don't know where to start.
How about this; like hell am I handing Facebook access to every other account I own.
Did I mention... NO?
Why the hell would you give a privately owned company, based in a single country, the right to hold Internet users' single login "license"? Why? Even with the all those features you require.
Did't Microsoft already try this idea, but the other social networking sites have just left them in the dust. This is almost like Microsoft's VM's . When I heard of that I said, yeh we call that time sharing and we had it in the early 70's with Mini Computers. Now that micro processors grew into that power footprint, they re-discovered an old technology. History does repeat itself in a never ending spiral. One hopes not a death one.
Seriously? On what planet do you live in which anyone with even a quarter of a clue would entrust their entire authentication service to Facebook?
You want single sign on? Its already there. Its called Kerberos, when coupled with a proper DNS setup it provides global SSO, in a secure manner, without handing it all off to one company that everyone has to depend on and everyone gets fucked when they break or get hacked.
Browsers support Kerberos.
Many apps (at least the ones where security actually matters) support Kerberos.
Its cross platform.
It requires practically 0 setup for a user NOW and with even slightly better application integration it can be brought down to 0.
It doesn't require that I trust people trying to authenticate me with my password. If I want to login to Facebook using my work user account, Facebook never gets my authentication tokens or anything even remotely resembling them, they just get a ticket we share for that session.
Its tried and true and was designed for this purpose.
Again, it doesn't depend on any one provider, it works the way the net was supposed to work.
Kerberos is the net's SSO, its just ignorance like this article and companies who want to keep you locked into their systems are trying hard to ignore it.
We already have SSO, no one uses it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This would be a very bad thing, for so many reasons.
I created a FaceBook account just to prevent others from doing so with my name, with no intention of using it. I never posted a thing, never "friended" anyone, never engaged in any activity whatsoever. Yet all of a sudden when I visit unrelated sites, I'm being greeted by the Facebook account name in various banners, etc. through Facebook's tracking. Deleting the account was a nightmare. I've had to use AdBlock and other anti-spyware software to block *.facebook.com, and I'm sure that even that is insufficient. Facebook has a profile on me, and you just and simply cannot opt out.
In absolute seriousness. I'd sooner trust Ballmer or Ellison than Zuckerberg, and I'd rather not have to trust any of them.
Everybody gets what the majority deserves.
I wish people would stop thinking this is useful.
Any phishing site worth its weight in salt will simply pull in your picture from the real site and display it to you.
I've created example sites to demonstrate this very issue with Bank of America's system which does this.
The picture is essentially public information since you don't have to actually authenticate in order to see it so anyone can see it and redisplay it too you.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I don't know what's worse, having a web SSO service offered by a for-profit, or having one operated by the government.
It won't become the internet's SSO, simply because it requires way too many companies to willingly put way too much power into the hands of a partner that probably does not have their interests at heart. Microsoft already tried a passport years back.
At best, it will become a secondary feature on some websites, but not a required one.
I don't even trust OpenID, much less Facebook. Plus, I'm not going to let a host of important accounts be compromised by a single sign in -- it would be fine for forums and the like, but not anything of even moderate importance.
Personally, I'd never want one entity to have the keys to the kingdom. Not MS with Passport/.NET, not FB, not OpenID, nobody. I'd rather use passwords that can be memorized, a password list stored on my smartphone, or passwords stored in Firefox. I rather pack my own parachute than have not just my ID from FB connected with tons of sites, but possibly my password.
However, if people want a SSO, with their eggs in one basket, lets at least have the basket made from something stronger than crepe paper strips and a generic white glue.
This is already happening where sites depend on another for authentication. If you want Cydia to recognize you and allow you access to purchased apps, you have to authenticate from Google or FB. Someone hacks the account that the Cydia stuff depends on, they can lock a person out of hundreds of dollars of purchased items, or even possibly rack up significant charges if an Amazon login is tied in with that.
Ideally, if a website is constructed from scratch for others to use it as a SSO, it should have not just top notch security (goot luck with this, as most PHBs view security as having no ROI), as well as allow for multiple personas with no way that subscriber sites, either by ad cookies, Flash shared objects or other means can tie the personas together. If a site can't offer this, they at least need to be able to deal with multiple users from the same person.
So some academic at MIT has "re"discovered the Microsoft Passport, huh? Microsoft wanted a piece of that action over 10 years ago. It didn't work. Everything old is new again... to some people anyway.
Seven puppies were harmed during the making of this post.
Especially considering that FB is one of the most unethical companies out there.
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
Seriously.
It's in the final stages of a social networking site: where the investors, including some big outside investment firms, try to "monetize" the user base by pulling out all the stops with ads, apps, and selling people's personal information. All that needs to happen is some plucky college kid making his own social networking site, just for his friends on campus, as a way to stay away from all the sillyness of Facebook, and Facebook will collapse within a couple of years. Just like MySpace did.
I am officially gone from
We've already seen Peak Facebook.
From here on, it is on its way to becoming another My Space for the meat market crowd. It will always be around I suppose, sort of like AOL.
Whatever is next is will be far more mobile device oriented, far more secure, and sign-on will be handled by credentials management in the device itself.
No need for a single sign for anything on the web any more. The concept is flawed, risky, and un-needed.
Sig Battery depleted. Reverting to safe mode.
It's called OpenID, http://www.openid.net./ move along, nothing to see here.
Never say never. Ah!! I did it again!
How about "My Ass!"
Or "What's dumbshit for "HELL FUCKING NO" you asshole?"
Or "What kinda goddamn drugs are YOU on?"
Seriously. What sort of intellectual cripple actually thinks (and I use the term forgivingly) using a known privacy offender and security whipping boy like Facebook as a single-sign-on?
Fuck Single Sign-On. It's single point of failure.
Chas - The one, the only.
THANK GOD!!!
"Web 2.0- a buzzword with no meaning at all."
I thought it was a trademark of O'Reilly Media for hyping one of their internet conferences. Why people used it beyond that, I still don't understand. People have been doing "web-2.0"-like-stuff on the internet (user-contributed content on mailing lists & public FTP sites; appliances on the internet (like the CMU coke machines, where even the softdrink delivery guy could update the internet)) long before HTTP was invented.
It's called OpenID, http://www.openid.net./ [www.openid.net] move along, nothing to see here.
The problem with OpenID is that, while lots of big sites will let you use your account with that site as an OpenID (acting as OpenID providers), fewer actually accept foreign OpenID for logon.
Everyone wants their accounts to be the web's single-sign-on, but almost no one big wants to accept sign-ons from elsewhere.
Using Facebook as a SSO. I can nick someone's session cookie if he's on my same network - and yet we can trust the same company which is there to sell your profile information - with out important logins?
Right..
It isn't even the privately owned part that concerns me the most, it's the consolidation of power. Many of the most corrupt organizations and corporations on earth are government entities, so government control wouldn't alleviate the issue either. Corruption happens as soon as person is involved and has the ability/power to abuse their position. The only way to minimize it's damage is to diversify authority, a single point of authentication is a single point of failure and abuse.
OpenID isn't a "one entity", it's a protocol. You can run your own OpenID server if you want to, or do as I do, which is implement the "redirection" mechanism (my webpage URL is the login entry-point, but redirects to a different provider for authentication). That way, you can change providers at any time without losing access to anything.
Dilbert RSS feed
I agree. Why for instance are they trying so hard to remain a privately financed company? Because they do not want the public to know how they really make their money. The only way they can be valued at $50B is if they are selling their users' data to the highest bidders.
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
If multiple people use the same computer- it gets worse.
There is another level where it *requires* that you give it a unique phone mobile number and locks your account until you do. If you put in a number, it sends you a text with an unlocking code.
Fortunately, you can simply create a new account (but good bye farmville, citiville, etc. anything you spent time on to get progress) and point all your friends to your new account. the old account can still be seen but you can't log into it without giving your mobile phone number.
Facebook is so untrustworthy with my personal information and privacy that there is NO WAY IN HELL that I want it to be my SSO provider.
I don't even like the concept of SSO because if ANYONE breaks it, you would be massively screwed all over the place. i want a private signon at my bank, my medical pill companies, my pharmacy, my car company, etc.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
As provided by Fakebook. They unilaterally rescind this, for posting material counter to Zionist hate and colonial extremism. Or for exposing the criminally fraudulent basis for the Federal Reserve Bank and un-coined "fiat money".
These are both among the many topics that have caused users to find their accounts and groups "disappeared" by Frakbuch.
Fortunately, this nonsense will sound completely foolish in a few short years, as "The Social Network" goes the way of CIS, AOL and MySpace....
"Flyin' in just a sweet place,
Never been known to fail..."
1 single point of failure, outside of your control.
You can host your own OpenID server, if you wish, and use that with any site that allows the use of OpenID for logging in (assuming they aren't 100% lame and restrict the server URLs; if they do that, don't use the site). If that doesn't constitute control, I don't know what does. Since the authentication point is a (particular kind of) website, you can use the usual methods for replicating it.
Of course, for these things you'll pay (whether in money, time or effort) but I'm assuming that you believe that it is worth it. It's your choice.
"Little does he know, but there is no 'I' in 'Idiot'!"
You are as wrong as it is possible to be with a statement that simple.
It's not a single point of failure. From the standpoint of availability, nothing prevents an OpenID provider from implementing something as robust as any website, and websites don't generally have single points of failure either. From the standpoint of control, nothing forces you to choose one OpenID provider over another, or even setting up your own.
So no, it's not "outside of your control" -- nothing prevents you from setting up your own OpenID server, with your own software, placing the entire thing entirely under your control.
Don't thank God, thank a doctor!
It's one entity. "Entity" is a flexible word, you know.
The problem is that you are ambiguous by changing the type of entity you're talking about in the middle of the sentence. First you give MS and FB as examples, therefore I think it's not my fault that I infer that you're talking about single providers, which OpenID has none, instead of "a single set of credentials".
Somebody compromises that and you're done with no ability to perform damage control.
If you run your own provider and/or entry point you can shut it down. In my case, I can physically pull the plug and cut their access - the server runs in my home.
You can sing the merits of OpenID all you like. If they have a marketing team maybe you can join up with them.
FFS, just because I said what I said, doesn't mean I consider it the best authentication solution ever. In fact, I agree that long, random passwords for each website are more secure than any of these SSO solutions, and I wouldn't use OpenID for any important login.
Having said that, I think SSO is a convenient solution for the hundreds of websites that ask me to register, and force me to have a password manager which is annoying when I'm accessing the web from different devices, including public computers.
And from all the SSO solutions, OpenID is the only I like, since it's not tied up to a single company or authentication system and I have more control over it than using Google's, for example.
You have still failed to address the core problem with it as a scheme just as you have failed to comprehend what the issue is about.
I understand the issue. You're right, by reading your first line I didn't think that was the issue you were referring to - but I don't agree that it was my fault alone.
This isn't the first post I've seen from you that demonstrates your inability to read a post and reply to what it was actually talking about.
Maybe if you bothered to login I could say the same.
Dilbert RSS feed
At the risk of appearing blunt / insensitive / blablabla - you possibly would miss him much less without reconnection?
One that hath name thou can not otter