Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What's Holding Up Single Sign-On?

Posted by timothy on from the 2012-edition-but-ask-again-next-year dept.

An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"

9 of 446 comments (clear)

  1. Single Sign-On by Anonymous Coward · · Score: 5, Insightful

    Single breach of security.

    1. Re:Single Sign-On by Anne_Nonymous · · Score: 5, Insightful

      Not to mention the tracking/privacy issues.

  2. A little thing called trust by Anonymous Coward · · Score: 5, Insightful

    Who is worthy of yours? I see Facebook SSO everywhere, but I don't want to be any part of Facebook.

  3. Here by Anonymous Coward · · Score: 5, Funny

    I'll give you a single sign-on! Send all your login information to me and I'll set something up...

  4. The same thing that killed 'Passport' by 0123456 · · Score: 5, Insightful

    Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.

  5. My Single Sign On by SighKoPath · · Score: 5, Informative

    I have Single Sign On. It's called keepass.

  6. I've had single sign-on for years! by Anonymous Coward · · Score: 5, Funny

    I simply use the same password for everything! Brilliant, I know!

  7. The answer, and solution, are both simple. by Above · · Score: 5, Insightful

    The answer is easy: Too many eggs in one basket.

    That could be one place that if it gets broken into everything is lost, or it could be one entity that knows all the dirty little secrets since they know all the sites that authenticate your identity. It could also just be one entity that must be up and available, which is a tall order.

    The solution is simple: Public key cryptography.

    Most of the people on /. are probably familiar with ssh. A key is generated on the client end. The public material is put on the server end. If the server is compromised nothing bad happens as the attacker now has a public key they can't use to log into any other service.

    There is no technological reason the web can't work the same way. There is a lack of agreement on how to do it that is holding us back, and also a User Interface problem in browsers. However it's not hard to imagine a world where a browser generates a key pair, and during the sign up procedure for a web site it transmits the public material. It looks like single sign on to the user, but they didn't have to trust any third parties, and if the web site is broken into the attacker gets no useful data. It could be implemented with x.509 certificates which browsers already have support for, or it could be done as specific form types and key formatting a-la how ssh does it today. Users could create multiple keys if they wanted, and by syncing the private key material between their devices have passwordless access across all their devices.

    A small amount of standards work and UI here could make passwords nearly obsolete. Sysadmins don't use telnet and passwords anymore; we need to upgrade users, and the user tools to achieve the same benefits. Single Sign On, and all of its drawbacks, disappear in the process, a win-win!

  8. Re:It's already here by iluvcapra · · Score: 5, Insightful

    That's the great thing about single sign-ons: there are so many to choose from!

    --
    Don't blame me, I voted for Baltar.