Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What's Holding Up Single Sign-On?

Posted by timothy on from the 2012-edition-but-ask-again-next-year dept.

An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"

8 of 446 comments (clear)

  1. Single Sign on aka FB by Foo2rama · · Score: 4, Informative

    FB is becoming more and more of a single sign on.



    The real reason holding it back is people that make the websites are either to lazy to include it. ie blogging sites. Or want increased security aka financial sites.

    --


    ---In a time of Chimpanzees I was a Monkey.
  2. It's already here by wiggles · · Score: 4, Informative

    Facebook, OpenID, Yahoo, AOL, Google, Microsoft - they all support SSO for websites that want to use it. It's just a matter of the individual websites implementing it.

    If you notice, Slashdot has even implemented it.

  3. My Single Sign On by SighKoPath · · Score: 5, Informative

    I have Single Sign On. It's called keepass.

  4. There are a few out there by JTD121 · · Score: 4, Informative

    There's Mozilla's Browser ID, which is uses nowhere....Google, Yahoo, et al seem to have been 'bundled' into the Disqus 'platform' across various sites. I think it's more that no one wants to give up 'control' of their user data and associated metrics to a single open standard. By forcing users to continue to sign up for their 'services' they get to collect whatever they want through the use of EULAs, ToS', etc. For their own ends, of course.

  5. Re:Single Sign-On by cayenne8 · · Score: 4, Informative

    Not to mention the tracking/privacy issues.

    Yep...I'd prefer NOT to have every website and business out there to be able to more easily tie all their data on me together. I don't want it any easier than it already is.

    And please, don't anyone mention using FB as the universal ID. I don't have and don't want FB account(s).

    I don't want to pay for coffee or anything else with my phone either...I hope if the new iPhone 5 has NF on it...it can be easily and permanently shut off.

    I like to use cash whenever possible...anonymous, and it gives me a much better feeling for how much I'm spending a month, that using credit which to me, ads a layer of abstraction to money, much like how chips do in a casino. With chips or CC's ( and now a phone) it is more like 'play' money than real money..and it is easier to lose sense of how much you're blowing here and there.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  6. Re:It's a bad idea by NFN_NLN · · Score: 4, Informative

    But if you do that, then why not just use a different password for each such group? Passwords aren't that hard.

    I believe the submitter touched on part of the reason. Inconsistent password policies for length, characters and expiry date.
    To this day there is one PITA site that won't allow "!" as a password character and it throws my whole system off.

    Also, if I want to change my password, with SSO there is one change. With multiple sites....

    Passwords may not be hard... but SSO is easier.

  7. Re:In the meantime - LastPass! by Kiaradune · · Score: 4, Informative

    Fortunately they don't have access to your unencrypted passwords.. https://lastpass.com/support.php?cmd=showfaq&id=1096

    "AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins.
    This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data."

    --
    This space for rent.
  8. Re:Single Sign-On by silas_moeckel · · Score: 4, Informative

    How about openID it can be whatever you want based. There is no global single point of failure as people can stand up there own openid site and any site that accepts openid can use it. The only thing saved on the end site is your openid url these can be many to one and/or specific to a given site. Pretty much you can add as much complexity as you want on your server or find somebody to do so for you.

    --
    No sir I dont like it.