Ask Slashdot: What's Holding Up Single Sign-On?

An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"

Single Sign-On

Single breach of security.

Re:Single Sign-On

[Anne_Nonymous]

Not to mention the tracking/privacy issues.

Re:Single Sign-On

Most password reset protocols are just a kludgy 'authentication via email' already.

I would've logged in, but I no longer have access to the email account that I used to create my /. account 10+ years ago.

Re:Single Sign-On

[cayenne8]

Not to mention the tracking/privacy issues.

Yep...I'd prefer NOT to have every website and business out there to be able to more easily tie all their data on me together. I don't want it any easier than it already is.

And please, don't anyone mention using FB as the universal ID. I don't have and don't want FB account(s).

I don't want to pay for coffee or anything else with my phone either...I hope if the new iPhone 5 has NF on it...it can be easily and permanently shut off.

I like to use cash whenever possible...anonymous, and it gives me a much better feeling for how much I'm spending a month, that using credit which to me, ads a layer of abstraction to money, much like how chips do in a casino. With chips or CC's ( and now a phone) it is more like 'play' money than real money..and it is easier to lose sense of how much you're blowing here and there.

Re:Single Sign-On

[dgatwood]

... that hasn't stopped so many other terrible ideas from becoming wildly popular.

Like passwords. I mean, the entire notion of securing access to an account using something that can trivially be sniffed, forged, etc. is utterly insane.

Or those fake software-based "second factor" authentication systems where your cell phone (or some other remotely crackable device) is the second factor.

The fact is that nobody is willing to do security right, because doing security right is hard as hell, and damned inconvenient. So instead, everybody adds hack on top of hack to try to maintain the illusion that these fundamentally flawed authentication mechanisms are somehow useful or robust. Single sign-on just eliminates the illusion of security. :-)

Re:Single Sign-On

[xtracto]

Just use Keepass. Allows you to remember just one password. I use LastPass, but of course it is not for the super-paranoid (it could be hacked with all my passwords on it).

Re:Single Sign-On

[TheCarp]

Not as bad.

Where do I have accounts? Do you know? You can guess, and probably get several of them...but not all of them. Not the ones even I have forgotten about. Hell, you don't even know what other usernames I use when the one I have here isn't available (hint: This one isn't actually my first choice)

On the other hand, if I use an SSO service, and you get that.... depending on how you get it, it could be very bad. The SSO service could, concievably have info on every service that I have ever used through it. You could log on to sites I haven't been on in years and start using my name to spout whatever you want....

Imagine that.... you go to some power tools website to ask a question about your new drill. You get the info you need, never go back. Then two years later, some guy who 0wn3d the SSO server hands a password list to his buddies....and a few months later you now have an extensive library of incendiary posts about minorities and gays in your name.

Could it happen other ways? Sure, but.... talk about making it easy to do widespread damage. Oh now I am locked out of ALL of my accounts...spiffy. Oh you just initiated phishing attacks using my otherwise legitimate accounts on 50 different websites... score.

Oh was one of those accounts the one where you posted messages in a online support group for other people with HIV or some other stigmatizing medical condition? Ooops, looks like the links to all your posts just got posted on your FB wall.... have fun.

Re:Single Sign-On

[mlts]

One phrase: Single point of failure.

The only system I can think of that would not be bad for a single sign-on would be something client certificate based, where the program that used your cert would prompt for access. Even then, it better support different certificates for different sites, so not every site is linked to one key.

I wouldn't mind seeing something that functioned like SecurID, except used public/private keys. That way, I could copy the key to a keyfob so I can use it for offline challenge/responses, as well as use my smartphone. If I were on a computer I trust, the client cert daemon would prompt if the site deserves a response and to hand them one from what key I used to authenticate.

Not too difficult to code, but because it is a fairly open system, not many hardware vendors would want to do it.

Re:Single Sign-On

[Bengie]

A single point to secure.

Re:Single Sign-On

[hawguy]

I'm all about anonymity when appropriate, but trust me, the NSA, CIA, FBI, etc. couldn't possibly care less about your latté habits

Of course they do - that's the whole point of the NSA's data mining efforts.

If they know that a group of interest meets at 8pm on the 1st, 17th and 23rd of each month, and you buy a Latte from the Starbucks next door to the meeting place only on those days at 7:45pm, then you become a person of interest.

Re:Single Sign-On

[silas_moeckel]

How about openID it can be whatever you want based. There is no global single point of failure as people can stand up there own openid site and any site that accepts openid can use it. The only thing saved on the end site is your openid url these can be many to one and/or specific to a given site. Pretty much you can add as much complexity as you want on your server or find somebody to do so for you.

Re:Single Sign-On

[Bengie]

Email authentication is just another form of single sign-on

Re:Single Sign-On

[vlm]

If they know that a group of interest meets at 8pm on the 1st, 17th and 23rd of each month, and you buy a Latte from the Starbucks next door to the meeting place only on those days at 7:45pm, then you become a person of interest.

Technically its the first Friday of the month 5 to 8 local time. But whatever.

http://www.2600.com/meetings/

Re:Single Sign-On

[PlusFiveTroll]

On the accounts that aren't important who cares, but..

On the ones that are important at least do something simple like

$goodpassword+sitename

So you would have X43snv!yahoo
or X43snv!citibank

That way any automated attacks with your scalped email and password would fail. A dedicated attacker may see the pattern and break in, but it's at least more time consuming for them.

Re:Single Sign-On

[icebraining]

Mozilla Persona/BrowserID, is certificate based and lets you have different profiles for different sites. It requires you to have an Identity Authority that can vouch for your email, but if you have your own domain you can be your own IA.

http://lloyd.io/how-browserid-works

A little thing called trust

Who is worthy of yours? I see Facebook SSO everywhere, but I don't want to be any part of Facebook.

Re:A little thing called trust

[CastrTroy]

What about OpenID. That allows anybody to be a single sign on service provider. I can even be my own single sign on service provider if I have my own domain name.

Re:A little thing called trust

[CKW]

> I can even be my own single sign on service provider if I have my own domain name.

But Google and Yahoo and Facebook and Twitter are NOT going to allow you to use a *different* service to authenticate your sessions with them, not your own service provider and *certainly* not each other.

Because THEY want the monopoly position, and they don't want people to NOT create an account with them.

And that's why SSO will never fly. The websites that "matter" won't let us do what we want, and N of us will not have a google account (not since they went to the dark side and/or are based in the USA), and M of us won't touch facebook with a 1000 foot pole.

And if the techies won't use something, the millions of techies won't tell their non-techie friends and relatives to use it either. End of story.

Here

I'll give you a single sign-on! Send all your login information to me and I'll set something up...

The same thing that killed 'Passport'

[0123456]

Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.

Single Sign on aka FB

[Foo2rama]

FB is becoming more and more of a single sign on.



The real reason holding it back is people that make the websites are either to lazy to include it. ie blogging sites. Or want increased security aka financial sites.

Re:Single Sign on aka FB

[i+kan+reed]

Or users who rebel.

Re:Single Sign on aka FB

[cpu6502]

The real reason is that FB forces me to use my realname, and I don't want to use my realname on a public internet that stores my messages for the next 20, 30, 40 years. I don't want either my employer or some government agency using those posts to develop a profile about me. (Or using them as excuse to reject my resume, or stick me on a Do Not Travel list.)

I get-around the "single login" deficit by using the same name/pass across all websites where I don't care if they get hacked (like posting replies on newspapers). I use a 2nd password for personal websites like email. And a 3rd strong password just for the two banking/stock websites. Nothing gets written down so I don't have to worry about somebody finding my "scrawled passwords" laying in plain sight.

Re:er becuase its Microsoft !

[Damastus+the+WizLiz]

Why not, they probably hold your mortgage and your car loan.

Trust and Compromise

[harl]

It's impossible to find someone everyone trusts.

Also what happens once the central repository is compromised?

Re:Trust and Compromise

[hobarrera]

If you have something like OpenID, you could set up your own SSO providers.
Face it; average joe uses the same password everywhere, and won't care about the trustability of the service provider.

It's already here

[wiggles]

Facebook, OpenID, Yahoo, AOL, Google, Microsoft - they all support SSO for websites that want to use it. It's just a matter of the individual websites implementing it.

If you notice, Slashdot has even implemented it.

Re:It's already here

[iluvcapra]

That's the great thing about single sign-ons: there are so many to choose from!

My Single Sign On

[SighKoPath]

I have Single Sign On. It's called keepass.

Re:My Single Sign On

[TheCarp]

Yes. Exactly. All the SSO I need.

I have a FB account, but, since when do I trust them to know every single website I go to? You know how many non-FB websites I have EVER logged into with my FB account? 0. Exactly 0.

As far as I can tell, the only reason they offer SSO is so they have yet more info to aggregate and sell. I don't use FB login for the same reason I don't allow my web browser (via requestpolicy) to connect to facebook at all when loading non-facebook sites.

FB doesn't need to know where I go to stream music, it doesn't need to know where I read my news or post my comments, it doesn't need to know jack shit other than what I post on my wall, on facebook.

I've had single sign-on for years!

I simply use the same password for everything! Brilliant, I know!

There are a few out there

[JTD121]

There's Mozilla's Browser ID, which is uses nowhere....Google, Yahoo, et al seem to have been 'bundled' into the Disqus 'platform' across various sites. I think it's more that no one wants to give up 'control' of their user data and associated metrics to a single open standard. By forcing users to continue to sign up for their 'services' they get to collect whatever they want through the use of EULAs, ToS', etc. For their own ends, of course.

In the meantime - LastPass!

[Kiaradune]

In the meantime, check out https://lastpass.com/ - you get to use a single password to protect all of your other passwords. You can generate random ones, store the passwords in the cloud, so are accessible by you, anywhere. I cannot do justice here to the security and features offered.

Essentially you visit a site, and LastPass fills in the username/password for you.

Re:In the meantime - LastPass!

[Kiaradune]

Fortunately they don't have access to your unencrypted passwords.. https://lastpass.com/support.php?cmd=showfaq&id=1096

"AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins.
This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data."

The core problem

[subreality]

The technology is already available - OpenID and several other standards are ready to go.

The trouble is that everyone wants to be the ID provider, but no one wants to accept other providers. Passport is a great example - Microsoft wants to be the central gatekeeper. Well thanks, but no, I'd rather run my own, but of course MS won't accept it.

So we're now in a standoff.

Who do you want to hold your data?

[jellomizer]

Ok the problem with Single Sign on, is the fact we are all going to choose a company for the SSO.
Do enough of us really trust Microsoft, who has been in the headlines for massive security breaches.
How about Facebook, you know those guys who take your data and sends it to everyone on the face of the earth.
Perhaps Google, You will get targeted adds based on every place you login too.
Open ID, how much do you really trust a bunch of harry toe programmers, who go to these black hat hacking events?

Some distributed architectural system where you can find many points of weaknesses from some armature setup.

That is the problem with Single Sign On. We just don't have any trust, in these sources. And to have one that you trust enough for the rest of the world?

The answer, and solution, are both simple.

[Above]

The answer is easy: Too many eggs in one basket.

That could be one place that if it gets broken into everything is lost, or it could be one entity that knows all the dirty little secrets since they know all the sites that authenticate your identity. It could also just be one entity that must be up and available, which is a tall order.

The solution is simple: Public key cryptography.

Most of the people on /. are probably familiar with ssh. A key is generated on the client end. The public material is put on the server end. If the server is compromised nothing bad happens as the attacker now has a public key they can't use to log into any other service.

There is no technological reason the web can't work the same way. There is a lack of agreement on how to do it that is holding us back, and also a User Interface problem in browsers. However it's not hard to imagine a world where a browser generates a key pair, and during the sign up procedure for a web site it transmits the public material. It looks like single sign on to the user, but they didn't have to trust any third parties, and if the web site is broken into the attacker gets no useful data. It could be implemented with x.509 certificates which browsers already have support for, or it could be done as specific form types and key formatting a-la how ssh does it today. Users could create multiple keys if they wanted, and by syncing the private key material between their devices have passwordless access across all their devices.

A small amount of standards work and UI here could make passwords nearly obsolete. Sysadmins don't use telnet and passwords anymore; we need to upgrade users, and the user tools to achieve the same benefits. Single Sign On, and all of its drawbacks, disappear in the process, a win-win!

Re:er becuase its Microsoft !

[TheCarp]

Go buy my mortgage (sorry no lien on my car), then ask if you can have the keys to my house, see how far that gets you. It will get you told off, shown the bird, and possibly even mooned at that point...what it isn't going to get you, is any keys from me.

More than that.... what do they need the information for? My employer signs my paychecks, few things hold more sway over my life. Do you think that means I emailed my boss my facebook password so he could poke around and see what I am up to in my personal life? No!

The more of such a relationship I have with them, the MORE I feel I want my personal data protected. What if I am gay and they hate homosexuals? What if I am straight and they hate straight people? Maybe they don't like something my wife had to say? Point is, if I have to worry that they might make discriminatory decisions against me, then its best that they don't have information that can be used to make such decisions. Better that they keep a racist on staff who doesn't know the race of the people whose accounts he deals with than find out the hard and long way that I am one of the people he hates.

Rememeber, anything can become illegal/considered imoral/irrationally disliked by any number of people at any time....and if you aren't ever saying or doing anything that couldn't be taken thr wrong way, or expose you to discrimination, then you just are not very interesting...and thats the last thing we should be encouraging as a society.

Re:Last pass

[X.25]

I manage my passwords with lastpass. The service that Steve Gibson from GRC has vetted to be safe and secure

Hahahaha.

Wait - the same Steve Gibson that insisted raw sockets are security threat, some 10 years ago?

That Steve Gibson?

Hahahahaha.

You forgot one other issue

[davidwr]

Your solution moves single-sign-on from a solution-provider to the individual, but it completely ignores the fact that some of us DO NOT WANT identities tied together.

True, I could have multiple, independent public keys just like I can have multiple independent sign-ons.

However, you and the world still need to realize that one of the things holding back single-sign-on in any form is that many people simply do not want it.

Re:It's a bad idea

[NFN_NLN]

But if you do that, then why not just use a different password for each such group? Passwords aren't that hard.

I believe the submitter touched on part of the reason. Inconsistent password policies for length, characters and expiry date.
To this day there is one PITA site that won't allow "!" as a password character and it throws my whole system off.

Also, if I want to change my password, with SSO there is one change. With multiple sites....

Passwords may not be hard... but SSO is easier.

The Problem with Microsoft Passport

[Nom+du+Keyboard]

The problem with Microsoft Passport was Microsoft.