Slashdot Mirror
Ask Slashdot: What's Holding Up Single Sign-On?
An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"
Single breach of security.
Who is worthy of yours? I see Facebook SSO everywhere, but I don't want to be any part of Facebook.
I'll give you a single sign-on! Send all your login information to me and I'll set something up...
And most people don't want it.
Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.
Single sign-on means that if you're compromised once you're compromised everywhere.
FB is becoming more and more of a single sign on.
The real reason holding it back is people that make the websites are either to lazy to include it. ie blogging sites. Or want increased security aka financial sites.
---In a time of Chimpanzees I was a Monkey.
Would you trust a convicted monopolist with your keys?
Password Hasher could happily provide you with 26 character strong passwords without the hassle of remembering them.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
I noticed some of the sites allows you to link your Facebook and/or Windows Live as your login credentials.
Facebook has made one of the largest pushes into this area. Has it worked? I'm not sure, just because I tend to prefer to not tie my various accounts to Facebook. I assume some people feel the same way, but I suspect the population at large likes this.
Single sign-on is either:
1) Simple, but centralized, prone to tracking and to one-account-to-hack-them all problem.
2) Highly complicated, and thus insecure.
You either get SIGN IN WITH FACEBOOK, which means you turn all your data over to some retarded megacorporation, or you get SIGN IN WITH SHIBBOLETH, which means you get to spend six years wading through XML and Tomcat stack traces.
REM Old programmers don't die. They just GOSUB without RETURN.
Why would you want to increase the damage a hacker can do when an account is compromised?
Do really trust all of the corporate parties involved to implement this in a secure manner?
What's holding up single sign-on?
Three simple words:
DO NOT WANT
It's impossible to find someone everyone trusts.
Also what happens once the central repository is compromised?
I find being offended by me offensive.
Facebook, OpenID, Yahoo, AOL, Google, Microsoft - they all support SSO for websites that want to use it. It's just a matter of the individual websites implementing it.
If you notice, Slashdot has even implemented it.
Because no one has a truly secure solution that won't be hacked by a 12 year old exposing all of your 'secure' accounts in one step. Right now, as long as you don't use the same login and password for every online account you only suffer minor losses if one account get's hacked. With a single sign on you just reduced their work load to one effort.
I have Single Sign On. It's called keepass.
I simply use the same password for everything! Brilliant, I know!
Last Pass
There's Mozilla's Browser ID, which is uses nowhere....Google, Yahoo, et al seem to have been 'bundled' into the Disqus 'platform' across various sites. I think it's more that no one wants to give up 'control' of their user data and associated metrics to a single open standard. By forcing users to continue to sign up for their 'services' they get to collect whatever they want through the use of EULAs, ToS', etc. For their own ends, of course.
In the meantime, check out https://lastpass.com/ - you get to use a single password to protect all of your other passwords. You can generate random ones, store the passwords in the cloud, so are accessible by you, anywhere. I cannot do justice here to the security and features offered.
Essentially you visit a site, and LastPass fills in the username/password for you.
This space for rent.
I've tried Open ID through Google to sign in to Slashdot but can't get it to work.
The technology is already available - OpenID and several other standards are ready to go.
The trouble is that everyone wants to be the ID provider, but no one wants to accept other providers. Passport is a great example - Microsoft wants to be the central gatekeeper. Well thanks, but no, I'd rather run my own, but of course MS won't accept it.
So we're now in a standoff.
I manage my passwords with lastpass. The service that Steve Gibson from GRC has vetted to be safe and secure
I shouldn't have to link the obligatory XKCD comic (927), but it's all down to standards. Google, Salesforce and a few other important SaaS apps support SAML. If you need form stuffing "HTTP-Fed" and / or SAML then you could use something like Symplified. Otherwise if you're SAML only, use Ping.
This is a really bad idea across the board. First you would have to get a bunch of web sites to agree on a set of standards - really have you looked at what clusterf*ck most standards have turned into? Assuming you can somehow make the first one happen with the blessing of the FSM on the second harvest moon of the year you still have a problem.
You have now just made /any/ website that did somehow join your standard much more profitable. Why? Users are lazy, not only do they share passwords they also typically share user names if they can get away with it.
What's the big deal? Because you find the least secure website that follows your password schema and you crack it. You now have the passwords and user names and email address for a low rent web site. However since your have conveniently set your password tool to share passwords (and assumedly user names that attach to those passwords) you have a bigger problem. Now your black hat is going to take a select few user names and passwords and log into much more valuable websites.
Think of it as cracking the combination to the bank vault by figuring out the combination the bank managers personal bike lock. Bad idea, I hope it dies in a fire.
There are solutions for SSO such OpenID, etc. but site owners have to make their own choice. There is also the issue of how much do I trust Google/Yahoo/Facebook/OpenID/etc. with allowing access into my system and what ensurances do I have that they won't pull the plug?
Free services could change or disappear and probably won't offer any level of service since it is free unless you pay.
Paying makes it more expensive than just rolling your own.
I use a solution like LastPass to manage it all with easy sync. Again I had to put a lot of trust into them, and they could disappear; but it is free so that is part of the trade off. Users aren't willing to pay much in reality.
SSO simply isn't cheap enough in monetary sense and service availability sense.
Ok the problem with Single Sign on, is the fact we are all going to choose a company for the SSO.
Do enough of us really trust Microsoft, who has been in the headlines for massive security breaches.
How about Facebook, you know those guys who take your data and sends it to everyone on the face of the earth.
Perhaps Google, You will get targeted adds based on every place you login too.
Open ID, how much do you really trust a bunch of harry toe programmers, who go to these black hat hacking events?
Some distributed architectural system where you can find many points of weaknesses from some armature setup.
That is the problem with Single Sign On. We just don't have any trust, in these sources. And to have one that you trust enough for the rest of the world?
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Facebook connect. Remember that Facebook only knows what you tell it. You could always make an account with only required fields filled out, NEVER use it as intended (set all the security/privacy to the highest and don't every friend anyone, join any groups, or "like" anything), and just use that as your SSO solution. Or if you simply refuse to use Facebook at all: 2. Lastpass. Can't say enough about these guys. It is FREE and just works.
K Man
Many people have very secure passwords, and good schemes to secure them, generate unique ones for each site, etc. So if my password for a site is "Lkjsdf834kklLKjlkj90uKLjh89yhLK98" - that could be very secure. But if some arbetrary site as a rule that states "Your password must have a least one punctuation character in it" - it rejects my password. Now, the system I have in place to generate unique, memorable, hard-to-crack passwords can't be used with this site.
Now, I need to generate and remember something special for this site, many of which are silly sites that I don't care about which make me login/register, to which I would never even care if my password was revealed. (Like someone would be able to post a comment on news article under a username that vaugly mimics my real name, etc).
So my point was....(I forgot what it was....)
I use SSO on a daily basis... whether using Google's implementation of OpenID, or Microsoft's LiveID...
unfortunately, what I've seen is that the software architecture for SSO clients tends to blow. Most sites tend to use the highly coupled approach, in which your SSO is mapped one-to-one with your local account/profile.
I keep waiting for a site which supports many-to-many mappings... I should be able to log on with ANY SSO provider (GoogleID, LiveID, FB, my own OpenID, etc)... and I should be able to choose which account/profile I want to use (perhaps I have multiple FB profiles, or multiple email accounts)
it's not hard... I don't know why there hasn't been a single site to support this... but it is what it is.
The answer is easy: Too many eggs in one basket.
That could be one place that if it gets broken into everything is lost, or it could be one entity that knows all the dirty little secrets since they know all the sites that authenticate your identity. It could also just be one entity that must be up and available, which is a tall order.
The solution is simple: Public key cryptography.
Most of the people on /. are probably familiar with ssh. A key is generated on the client end. The public material is put on the server end. If the server is compromised nothing bad happens as the attacker now has a public key they can't use to log into any other service.
There is no technological reason the web can't work the same way. There is a lack of agreement on how to do it that is holding us back, and also a User Interface problem in browsers. However it's not hard to imagine a world where a browser generates a key pair, and during the sign up procedure for a web site it transmits the public material. It looks like single sign on to the user, but they didn't have to trust any third parties, and if the web site is broken into the attacker gets no useful data. It could be implemented with x.509 certificates which browsers already have support for, or it could be done as specific form types and key formatting a-la how ssh does it today. Users could create multiple keys if they wanted, and by syncing the private key material between their devices have passwordless access across all their devices.
A small amount of standards work and UI here could make passwords nearly obsolete. Sysadmins don't use telnet and passwords anymore; we need to upgrade users, and the user tools to achieve the same benefits. Single Sign On, and all of its drawbacks, disappear in the process, a win-win!
What's holding it up for me is that most of them want you to use your facebook credentials, so they can post garbage to your wall and harvest your friend lists and emails.
Of course, it's even harder to use it when you are one of the few remaining humans in civilization that doesn't have a facebook account.
I moved to Google after the collapse of my Yahoo single sign on multiverse. All things became one, which was the security reason why I shut down my Yahoo accounts and left for Google. Yahoo as a web portal has a number of quality services that are linked. If only their privacy options were more robust I might still be there to enjoy them.
-Xin
Facebook is doing SSO really well for stuff that's just not that important. Sign in to random websites/games/apps/forums with a single click.
I wouldn't want SSO for my bank/finances/medical though because of the single point of failure issue.
However, for PC's Windows 8 now allows you to log in with your Windows Live credentials (not sure if you could do this before)... I personally liked that feature since you can log onto different PC's/tablets around the house without reconfiguring things.
Single Sign-On technology only makes sense within a single organization. For example, if you get a loan from the same institution you do personal banking with, you may want the convenience of a single sign on to their loan system and their banking system. But in this case, you don't have to worry about privacy issues as it is already the same organization with access to both sets of data, even if they are two different systems in the back-end, possibly due to a corporate merger or something.
However, with cross-organizational single sign-on, it opens up a privacy can-of-worms. On one hand, I don't want to risk the possibility of someone hacking my google/microsoft/facebook/apple/etc. account and gaining access to my financial accounts. On the other hand, I don't want google/microsoft/facebook/apple/etc. to have access to my financial accounts in the first place.
Because everyone want to be the SSO provider.
Basically, we had OpenID. Along came plenty of services which gave you an OpenID account (or something VERY similar), but none of them allow you to log in using a single sign on hosted elsewhere.
Example: Facebook is a SSO. So is google. So are plenty others. But since google wants to be the provider, they won't allow you to log in with facebook's OpenID. The inverse also applies.
In the end, everyone is an OpenID provider, but the only place I can log in with a third-party OID provider, is stackoverflow. And sourceforge, IIRC. Until these huge service providers (google, facebook, twitter, etc) start accepting third-party OpenIDs, this won't change.
Why don't people just tell their browser to remember their login/pwd information? That's what I do for Slashdot, BoingBoing, fb, lj, gmail, etc.
Bank websites and credit card websites, I still store the passwords in my noggin, but social media? I don't care if someone who's stolen my laptop suddenly can make twitter posts in my name.
It may look like I'm doing nothing, but I'm actively waiting for my problems to go away.
--Scott Adams
There is no company large enough to make a plausible attempt at "single sign-on" that would also be trustworthy enough for most people to give them that level of access. And there probably never will be, since our current system of corporate capitalism not merely permits but actively requires corporations to act in a sociopathic manner.
If your single sign-on is compromised, the attacker gains access to all your accounts (and potentially locks you out until you can prove it is actually you who owns this single sing-on account and reset it, which is not always possible since there is not much verification at the time of signing up for a single sign-on account).
If you trust your cell phone to do your banking, one solution for you would be to get a password storage application that would encrypt and store (different) passwords to all the websites you visit.
Now you often see sites that will let you sign on with Yahoo, or Facebook, or Passport or something else. So I'd say it's still moving along.
"oh shit! firefox(with single sign-in) won't start! I guess I'll have to use internet explorer to check my email. wait, I can't remember my email password anymore because I have been using single sign-on!!!!!"
yea, that sounds like a great idea!(sarcasm)
Someone mentioned the very good point that Facebook is TRYING to become the single signon king. However, nobody trusts Facebook.
It brings up the question of how a single signon organization would make its money.
Nobody would trust it, use it, if it makes its money like FB or Google......basically by selling its users out.
It would have to be some sort of not-for-profit trust that could pay its employees well without having ties to other businesses.
That sounds like the government. I wouldn't want to give my single sign on info to the government or an organization that might be petitioned by the government.
Back to square zero.
You don't really want to trust any of the parties offering SSO. A slightly different take on the same space which bears watching is Mozilla Persona (recently renamed from BrowserID). I don't really expect it to catch on, but it might, and it's the only endeavour in this field which has a chance of really tackling the trust issue and offering a useful way forward.
I use passpack. I see a lot of people using lastpass. I honestly think passpack is better.
I began using passpack, switched to lastpass and then switched back to passpack.
How is it going with the implementation of tags over at lastpass? Still using single groups instead?
The cool thing about passpack is the javascript bookmarklet for one click signon, no need for any extension...
https://lastpass.com/
The real problem with these systems is that they're not distributed; there should be a single sign-on that has several seperated trusted agents. My suggestion, arrogantly submitted, is that chip&pin cards should be used as trusted ID's. As little as I trust banks, they're the only cryptographically secure method of identification that anyone carries. The banks in almost every country are required to positiviely ID cardholders, and SSO systems can validate the banks digital signuature of the logon credential carried by the credit card. I'm sure it's not perfect, but it would be very robust, and allow you, as a website operator, to be able to trust a login credential, and you as a user to have a login credential that requires no more trust in an institution than you already give to that institution. Oh by the way, it also ties, easily that SSO token to your credit card account.
everybody says you should never write down your password, but all of the sudden it is a good idea to store ALL of your passwords in one place?! encrypted or not, this is just a bad idea
* I want to keep my identities separate.
* I don't want _SINGLE_SIGNON_PROVIDER_ to have keys to my entire online life.
* I'd rather "spread the risk" of having my login information compromised.
I don't have a common key for my house, office, and car either. Nor do I want one.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have my personal windows live account, my day job Office 365 user account, and an Office 365 admin account for a friends small business I administrate for him on the side.
Whenever I needed to switch I need to clear my cookies and close all browser windows, then login again. It was a massive PITA.
What I do now is use IE for day job, Firefox for personal, and Chrome for admin; so they each have separate cookie sets.
I probably should switch to separate VMs.
http://xkcd.com/792/ Pretty much sums up my argument against it.
I have one password, but it's unique for every website. That's because my password is a small formula that uses the websites url.
I only need to memorize the formula then look at the url to know what to enter.
Who holds the keys? Microsoft? Symantec/Verisign? Google? Facebook?
Which protocol? So far all the federated ones have been weak.
One breach and you've lost EVERYTHING.
Single point of failure.
No real motivation a.k.a. financial incentive.
NIH disease. Or, everyone knows better than everyone else.
The solution is simple: Public key cryptography.
Most of the people on /. are probably familiar with ssh. A key is generated on the client end. The public material is put on the server end. If the server is compromised nothing bad happens as the attacker now has a public key they can't use to log into any other service.
http://en.wikipedia.org/wiki/BrowserID
OpenID seems to be the way to do it, but it's really complicated. I think if you look around, nothing is really holding it up. It's used all over the place. Speaking as a dev, it's annoying to set up the first time. I think that's holding it up for sure, but to a much lesser extent. For end users, just try explaining what it is and you'll see why more people don't use it, understand what it's for, why you'd want it, or when you'd use it.
Really the argument about a single security breach and tracking issues are all false too. There are as many OpenID providers as you'd ever want to use, *and* you can roll them in your own websites and swap out the underlying provider using yadis at will.
So the only thing holding it up? End users have never heard of it.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
Your solution moves single-sign-on from a solution-provider to the individual, but it completely ignores the fact that some of us DO NOT WANT identities tied together.
True, I could have multiple, independent public keys just like I can have multiple independent sign-ons.
However, you and the world still need to realize that one of the things holding back single-sign-on in any form is that many people simply do not want it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Identity should be inherent in connectivity and access. Anonymity should be a service. But since implementing automated identity and webs of trust means starting with redesigning the IP layer, and then redesigning from there on up, it's not going to happen any time soon, even if it would dramatically ease problems like spam and DDoS attacks. It would simply be so expensive and time-consuming as to be a poor return on investment. And of course, trying to graft on identity and trust runs into the problems others have noted above. Maybe the next planet to build an Internet will do it right.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
When SSO started appearing more and more browsers starting having the feature of saving the passwords into the browser, or some external program to manage it.
I don't trust most SSO, esp facebook as I don't want to end up with a bunch of crap on my wall that website decide to post...
Some companies, are implementing SSO on thier backends using software from companies like Ping Identity.. Really cool technology
The problem with Microsoft Passport was Microsoft.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
PKI+BioToken would be nice. I would pay for a one-time vetting process and bio-token+reader at home for me and family.
I would let my bio-token be scanned by Biz-readers, voting ..., but I would want strong per-session time-place encryption for all personal/purpose/transaction/bio... information, certificates validated-exchange signatures, and a 90 day transaction/billing-cycle with self-destruct of all information.
Under Linux, I think you can do a PKI pseudo-token and reader for all your passwords (login, admin, websites, banking, trading .... Pseudo-token would not be registered with a PKI certificate authority/server.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I sign in to Lastpass, and it signs into sites for me. I guess it's a form of SSO?
It gripped her hand gently. 'Regret is for humans,' it said.
Opera web browser has it's own version of this and it works great. I'm sure you can download plug-ins or whatever for other browsers that don't have it built in.
It used to be called the "magic wand" or something a million years ago when they were likely the first browser to implement it but now they just call it "password manager".
The Official Site of 1337 Pwnage
There is also the case to be made that it's a terrible idea to use a single key to open multiple random websites. Maybe it's a convenience for throwaway forum stuff but I don't think I'd want Amazon, eBay and my bank all controlled by a single sign on. It's probably a terrible idea from a privacy perspective for SSO to happen on sites belonging to the same organisation. Look how Google has consolidated and modified it's terms so they can basically merge identities together from their sites like GMail and YouTube any way they see fit. One minute you think you're using two distinct aliases, the next suddenly your real name is tagged against everything.
There's also just the complexity of connecting multiple disparate systems that have been developed in-house. It's difficult for a company to do SSO internally, let alone across the web.
and i don't use it because i like privacy.
Try something like Keepass for sites you don't visit very often, or even ones you do. It's a password vault and it works great. Free too. Lastpass is good too. Lots to choose from.
Instead of using password storage (e.g., under desk or memory) run an encryption algorithm in your wetware as a background task to automatically sign you in to web sites, software, etc. Put the code in your 'eyes' and 'hands'. This avoids you having to know or remember the passwords and is faster. When you run into a login your eyes trigger the code and but your hands translate it to a password and type it in before you know what is going on.
You think I'm joking but this works really well.
Usual disclaimer: I could tell you how but then I'd have to kill your process. :)
LastPass very good online password manager that tries to log on to sites for you. Its not perfect. Only use it for things im not to worried about.
Spamex.com solves that problem nicely. I don't understand why it hasn't caught on yet, but it is severely languishing because of lack of users and is consequently much slower than it used to be.
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
Seems like most of the replies here suggest that users don't really want it. Maybe Slashdot users dont want it, but seems to me another reason is that sites don't want it If the purpose of a login was to confirm my identity, more sites would make this easier. The purpose of a login is to shackle you to a site. This is why even if you see a "Login with Twitter" "Login with Facebook" button and try to use it, you're immediately required to "link" your Twitter or FB account to the "app" of that site. They don't give a damn what your identity is, they need more than just a confirmation of that, they need your permission to make you part of their social media reach. Now, there are ways to make this all happen with a good SSO, of course, but that's technically harder to implement, and there will often be some "business requirement" for some crucial piece of valuable personal info that happens to not provided in whatever SSO, and so the managers will push for a custom sign-on. Facebook is getting close though. For better or for worse.
nonsig. unsig. desig.
A single sign on, to me at least, should be controlled by an uninterested third-party; ideally, in my 'vision', this would be a non-profit, perhaps subsidized, but without political attachment (Google 'politician money' and read some of the resulting articles if you don't already understand). It is also my opinion that (as many have pointed out) that it should absolutely not be a single keyword or other text. Another issue that some think should be avoided (almost universally, at least on this site..)
I don't particularly enjoy writing paragraphs, so I give you this list of seemingly reasonable ideas to expound upon and lampoon for the purpose of belittling my grammar and I...
My thoughts on the matter (which are more or less open ended...)
As I still prefer not to use identifiers or logins when it's not absolutely necessary...):
This is something to be left to the 'nerds'...
If it can be profitable, someone will make a substantial effort to exploit it...
I would not trust it for use in financial transactions if it was able to be used for general-purpose logins...
A separate secure system may be the best solution to the above...
The possibility for key/screen/event loggers (client, server, or interception) to thwart even the most well though out scheme...
The xkcd comic posted above is definitely worth reading..
The trouble with "single signon" is that it's usually a front for a Facebook or Google style tracking system. It usually comes with built-in privacy intrusion, ad targeting, and an overreaching EULA.
"Using Facebook for login provides you with all the information you need to create a social, personalized experience from the moment the user visits your site in their browser."
Use a password wallet. I use a random password for almost every site. One gets broken into, they have no idea what the password is to the other.
A decent wallet can sync to more than one location (like phone)... use a good base password.
Starting to see more 2 Factor Authentication which is even better.
Maybe you haven't noticed, but TONS of web sites now support logging in via facebook or twitter.
With so many major sites from Yahoo to Google to Microsoft (Passport) to Facebook, no one is perceived as a leader of SSO. Besides, Google now wants to know your real name, and Facebook Well, it’s Facebook for fuck sakes
On the other hand, Google has the concept of multiple sign-on, which I've started using. So I have a "spam" email account that I use for websites and mailing lists and crap, and a "realname" account that I only really use to talk to actual people. This works pretty well, esp. since I've pretty much disabled notification on the "spam" account on my Android phone/tablet.
I could probably create more accounts... maybe a few more spammy accounts for pr0n, and other less spammy accounts for financial stuff, but I'm fairly happy juggling just two personas. Most (but not all) of the Google / Android apps support this pretty decently.
Sure, law enforcement could probably ask Google to identify who's behind my spam account. But I don't worry too much about that.
if HTTPS servers had a way to ask the client to generate a certificate automatically, we wouldn't even need passwords. some IRC servers use client-side certificates instead of nickserv, and it works beautifully. i cannot understand why this very useful part of SSL is so rarely used, because it makes passwords superfluous for the most part, and it's a hell of a lot more elegant than login cookies
you guys are missing the point of single sign on, the point is that you can with 3 clicks (or more if you choose to limit what info the site gets) login to a service you just heard a minute ago.
remembering the passwords isn't the hard part at all.
service providers love this because it cuts down on people who get mega-annoyed at captchas, checking their email for activation link and so on and end up not even checking the service out.
world was created 5 seconds before this post as it is.
It's not a question of technology. Using proper federation we can control what data is sent over to the service provider you're signing in to, making it so that not even your name, username or email is sent aside from a random string of many characters, which is what privacy advocates would woe.
In contrast Web Service Providers and Identity providers would like to exchange everything from your email to your credit card information (for a proper fee of course between themselves). ... and so they go and wage the political wars.
it's not remembering the password or setting browser to remember it that's the problem.
it's signing up. sso makes it a breeze, sso that the service provider deems worthy enough trust makes filling stupid forms about your mothers maiden name obsolete - you just have to lie it once when signing up for the sso provider(like facebook).
world was created 5 seconds before this post as it is.
I live in several realms on the web: there is work email, private email, banking, and various accounts for my different interests.
I want to keep them separate. I don't want to be automatically logged in into my bank when I log into Youtube to comment on a vid. I want to be able to do that from a friend's computer and not be afraid.
"We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
Not a single one of these companies are anyone I would trust with my data over the long term. They all have to do something screwy with it.
Bunch of Number of the Beast type scenarios that humanity rejects instinctively.
Anyone notice that QR Codes have something resembling a 6 in three of the corners? Bad bad bad...
OK, send *me* all your login and password IDs. Don't forget those bank logins! What you don't trust me? But you do trust a large corporation, who probably outsources all their work to India, or the Philippines? Of course, they only have your best interests at heart! What could go wrong?
Please do not read this sig. Thank you.
Facebook - not saying this is a good solution, but it is common
Google - Pretty good solution, especially if you turn on their two factor authentication.
Maurice W. Hilarius Voice: (778) 347-9907
> Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea?
What happened in my case is that I wouldn't trust Microsoft with anything that critical. Regardless of the reason (and there are more than one, not all having to do with the products themselves), Microsoft products get a zero day intrusion, what, once a week?
Would I trust *anyone* with a set of credentials I use everywhere? Um,.... no. Not anyone. Not my bank, certainly not the government, not Google, not Apple, not Symantec, not... hmm I've run out of examples.
And so, I maintain a list of passwords consisting of random keystrokes for any online service that has the potential to damage me either financially or professionally. I remember the ones I use often, and the rest are in a PGP encrypted list on my phone. (The PGP password being another random string that I have memorized through long familiarity.)
My bank is a small credit union, which probably isn't any more secure than Chase, for example, but is a less likely target because the payout is so small.
In theory single sign-on might be doable with private/public keys, where you could generate the keys yourself and not have to rely on the honesty and diligence of a third party or worry about a government operator selling the back-door keys to the Russian Mafia. But I don't see that ever being practical for the unwashed public. They just want to type in their grandmother's maiden name for everything. And they can probably do that now. (Shudder.)
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
" most of which have *inconsistent* password syntax restrictions "
Choose a password format that is hard be default. That will aplly to ALL site if it required a hard or easy passord.
Apples some serous of number or letters you cna easilt derive from the sites name.
For example
B1g_H41R_Slat
Big hair in leet speak, followed by the first three and last letter of the site name.
Hard password, easily done.
No, that's not my password.
If it only allows 8* the first 8 is still hard.
*I guess there might be a sitre left
The Kruger Dunning explains most post on
There is clearly a need for two types of security. My bank account, email and other critical items need a higher level of security. But for 95% of my passwords, a simple user-friendly, single-point of contact is perfectly acceptable. Worse case, they now have access to my various newspaper on-line subscriptions, maybe a couple of casual vendors, and the random porn site. None of which particularly concern me.
Worst case scenario, frankly, is that someone purchases something off a credit card stored on a vendor site and I dispute the charge and the vendor eats it. (Not saying this is a just system - but it is the way things work.)
IT'S CALLED LASTPASS.
I'd love SSO if I controlled the service and privacy and didn't need to worry about others having access to login data.
I'm completely afraid of any big service like Google, Twitter, Facebook, foursquare or any other name that doesn't have a strict privacy policy and strict delete first if contacted by any government policy. All the big service providers want SSO so they can track where and when we signon to other websites. That is a 100% non-starter for me.
The problem with single sign-on is that if the company providing the single sign-on suddenly implements a crappy policy, you don't have a choice in having to follow that policy in order to use the numerous services that use that single sign-on.
For instance, if you don't like using your real name online, and suddenly the sign-on provider requires real names with identification, you're screwed; you can no longer use your favorite sites unless you surrender your information or try to create a fake account against the policy.
Right now, if some forum implements a bad policy, we can just stop using that forum, which is a much smaller loss.
We saw this effect with Google Plus; when they had their real name fiasco last year a lot of people got pissed off when suspended accounts affected their ability to use other Google services. Thankfully Google relented a bit on the policy (they still say you should use your real name, but no longer seem to enforce it unless it's a weird name like Ass McCrackpants or something) but it does drive the point home.
... most of which have *inconsistent* password syntax restrictions ...
And also have stupid email restrictions - like you can't have a plus (+) in your email address.
In any case, SSO bites it in terms of security (a single data breach and suddenly "All your sites are belong to us") and privacy/tracking issues (do you really want one company to know all the porn sites you visit?). Just get a password manager like KeePass and forget having to remember passwords.
I've long argued that authenticating identity "online" is a government function, just as it is a government function to issue me a birth certificate or a driver's license or a passport. A government-run single sign on (or, better, a network of single-sign-on's depending on where your citizenship lies) could be prohibited by law from collating information, and sites that used it could be forbidden from using it for sharing of data. Similarly, sites that wanted to use it could be legally prohibited from abusive practices, sharing your information, etc.
The reality is that privacy is OVER -- and it's been over for a long time. Unless you've bought a tin-foil hat, you're in many dozens (if not hundreds) of databases, many of which share information. The problem? You don't know it, and you have no access to this wealth of information. So let's drag as much of our critical information as possible under government control, where there's at least SOME accountability. Millions of details ... like how to preserve some sort of anonymity if there's an overarching SSO -- but the economic benefits of establishing one would be huge.
Finally, let it be noted that the situation with sso now is analogous to the situation with "information services" back in the 1980's. We could have built an awesome shared information service (a la France's Minitel), but the companies in the space (AOL, CompuServer, BIX, Genie, etc.) were all trying to beat the others by locking you into their product. The free market is not the solution to every problem.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Invoking Betteridge.
Have gnu, will travel.
MePIN has no user registration and does not store users’ personal data in a central database.
Neither does it use or store usernames, passwords or any other data from linked accounts.
MePIN provides multi-factor authentication as a service. MePIN service is distributed to several data centers in several countries. The infrastructure issues digital certificates to each MePIN device, uniquely identifying the devices.
Check out their website - https://www.mepin.com/
"Area Man Constantly Mentioning That He Doesn't Have A Facebook Account"
Social networks that use real names are attractive as a potential third party SSO identity management platform. Facebook has the sheer user population to potentially become the defacto SSO platform for the western world. China will inevitably do its own thing though (QQ? weibo?).
Microsoft read that correctly, and with their hotmail/MSN/passport initiative, they attempted to convert/enroll the existing windows userbase for this, but they didn't have a compelling enough offering as a carrot to get people over the hump to enroll, and enough smart people realized they didn't want the lockin between their OS vendor and their SSO supplier and screamed bloody murder. Whether that lockin fear is valid anymore, considering business alliances and the web is hard to say. It could easily loop back with Facebook releasing their own android phone, creating that mobile OS/identity platform vertical silo that some people rightfully fear. Android as it exists now with Google at the helm is pretty scary as it is with the vertical silo, what with gmail, gtalk, Google Drive, Google+, and search history, but since Google+ is still lacking penetration, they don't have it completely sown up yet. Considering the pseudoanonymous usage of a lot of Google users, they will forever have a real name association issue that undermines the SSO proposition.
It's kinda funny that Telco's saw the SSO problem int he past and proposed a centralized, rigid hierarchy for identity via X.400 that might have worked through dictatorial control for a while, and enabled multifaceted government ID's that private identity systems could ride coat tail on, but as the SSL CA issue shows, who watches the watchers?
today
Every browser has some functionality to store your passwords without having to give permission to a single entity to all your online activity. Why would anyone want an online service to do that is beyond me.
the solution to "every website requires a login, which is a pain in the arse" isn't "have a single login for every website"; it's "stop requiring a login on every bloody website"
This question has many parallels to "Why do all the browsers suck?" circa 2002. Similar answer: end users' interests are not aligned with commercial ventures, thus commercial entities fail to address the need. Governments, for similar reasons, are not welcome as solution providers.
Mozilla has a potentially gamechanging solution in alpha. It is inherently user controlled and FLOSS. It's also intended to be very easy to use by building user-controlled personas into the browser, allowing single sign in without revealing sign-in habits to a third party. Developers and testers welcome.
https://login.persona.org/
http://identity.mozilla.com/
People tend to have a few essential sites and several non-essential sites. Use individual passwords for the essentials and FB SSO to access occasional/unimportant services.
Want to add more privacy? Create an FB account, add no friends and post nothing. Simply use it for SSO.
Hi guys I'm already using this site http://fonet.mobi/ which allows me to connect to couple of web sites using Oauth. this web sites don't store your credentials also as you always enter your user id and password at the original( (like facebook, linkedIn etc) web site and after authentication, the original web site redirects you back to this web site http://fonet.mobi./ After the first authentication from the original web site, it never sends back to original web site( unless you change your password at the original web site) and it pull your data from web site. I'm already using couple of web site like facebook, linkedIn, twitter, Picasa, Google calendar etc. Its very conveneint as I don't have to enter my password any more. They also have setting where I can remove my oAuth token from this web site. Not only that, They have one page where they display my profile from difference site to a single page and my friends don't have to search my profile to so many web sites as they can all my profile at single page. I'm very impressed with this web site. Another thing, this is a mobile web site and it doesn't have any advertisement also. If you haven't tried this web site, you should try it once.
http://supergenpass.com/
It creates a hash based on the domain name and a single master password, then uses that hash as the site password. The result is a different, secure password for every site. The levels of security are configurable and it's very easy to use.
any number of firefox apps will keep track of your passwords for you behind one password you use for the app if it's such a big deal for you. This problem was solved a long time ago if you know how to make things work for you.
please don't use sso. it's like bending at 90 to a police officer with your current laws
if free market is supposed to be able to solve every problem, why do i still need to scratch my balls?
In the near term, reduced sign-on is a more realistic expectation. Standards like SAML and OpenID have emerged to enable sites to act as “Identity Providers” or “IDPs” to assert your identity to other websites that have adopted those standards (as evidenced by the login form here on /.). For the reasons a lot of people mention in earlier responses, there are good reasons for us each to have multiple IDPs – not the least of which being privacy.
Many enterprises have been trying to ‘crack the nut’ of figuring out a business model for providing an IDP as a service – Passport being an early example. Platforms like Facebook and Google+ seem well positioned to be your IDP for SSO into sites like Pinterest and /. today. However, in many work scenarios - for example where you're sharing docs on Google or using Salesforce, your employer will need to be your IDP in order to enforce security capabilities like identity proofing, access control, and strong authentication. And so providing a single sign-on across all of them is not something that is realistic in the near term - and probably not desirable from a privacy perspective in any case. Best we can do is choose the right IDPs for specific online interactions.
As the “IDP market” emerges we as individuals need push our IDPs – both work and social - to give us the appropriate level of control over how our personal information is shared. We will need to learn to leverage these IDPs to manage and wield what are ultimately different online personae on our behalf. If we don’t seize that control, our personal information will be shared without our consent.
I never rember a password every again, well, I do rember one, my master password... I'm totally for Password Hasher plugin for Firefox, it creates hashed passwords of the master + site domain name, up too 32 characters long. If a site get hacked, I have to "dump" the password, adding an additional nummeric sequence to the inparameter of the hash calculation and the tool will comeup with a totally new password for the site in question.
Sites visited and how different password restrictions (length etc) is saved locally, but no passwords are ever saved.
I use it for all websites nowerdays, and there really is a few that has stupid password restrictions,
Or, in this case: single point of intrusion. Need to say more?
I like my spaghetti with source.
The reality is that privacy is OVER -- and it's been over for a long time..
Because of defeatist twats like you. If everyone had your attitude we'd all be slaves by now.
The issue with a SSO, in the form of a service provided by a third-party, is the same as that of the current SSL system. The provider/protocols become a huge target and, eventually, could be compromised...DigiNotar anyone?
The best forms of SSO are those that are managed locally from your own machine or domain. This software already exists.
I have SSO setup in my domain with Fingerprint + Pin authentication and it can be used to provide login to most websites or applications by adding the credentials to the SSO application (a bit like managing passwords in Firefox).
There are very few governments I would trust with that function, and it still begs the question as to what about the fact this is a single point of failure than people not constrained by laws would view as the most valuable compromise target possible.
Just imagine - one credential that would give them access to all your financial resources and ability to assume your identity online.
Use a master password in your browser. First make sure the master password is used to encrypt the other passwords of course.
which is a different thing than having single sign-on. I personally like the following approach to reducing the number of passwords, especially for throw-away or low-concern sites.
http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html
It depends on HTML5 local storage and uses asymmetric keys for doing the join and subsequent login. While I wouldn't necessarily jump to this for a financial website, for things like slashdot, facebook, news websites, etc., it would be a boon.
--kev
I dislike single sign-on because there are services for which I want multiple accounts. If those services don't let me make a l/p with them, I have to log in and out of multiple facebook or gmail accounts to make it happen, which disrupts all my other browsing activities.
If there's a site where I want a business persona and a party persona, I should be able to just make two accounts and call it a day.
--
I want a flash drive in the shape of a key and the port to be like a small ignition cilendar, like your car. The flash key has a program that stores all my logins and passwords for me, so when I'm prompted by my browser to enter it I just pull out the key, turn it and it auto-fills my info. Build please?
Whenever Microsoft ask me what I think in surveys I tell them that I have sworn to never buy more than necessary from their company - because of their utterly disgusting calls for an Internet "Driving license" - using Microsoft technology of course, which would be a universal login as you describe. Never, ever, forget that the entire purpose of a license is NOT to let you do something, it's handing someone else the power to STOP you doing it. ACP