Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: What's Holding Up Single Sign-On?

timothy posted more than 2 years ago | from the 2012-edition-but-ask-again-next-year dept.

Security 446

An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"

cancel ×

446 comments

Sorry! There are no comments related to the filter you selected.

Single Sign-On (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40754415)

Single breach of security.

Re:Single Sign-On (5, Insightful)

Anne_Nonymous (313852) | more than 2 years ago | (#40754497)

Not to mention the tracking/privacy issues.

Re:Single Sign-On (0)

Anonymous Coward | more than 2 years ago | (#40754833)

Considering, that most people recycle passwords we have multiple breaches of security.

Re:Single Sign-On (1)

Anonymous Coward | more than 2 years ago | (#40754881)

+ Single point of failure.

Re:Single Sign-On (1)

cormandy (513901) | more than 2 years ago | (#40754913)

but, but Single point of Sign On!

Re:Single Sign-On (1)

Impy the Impiuos Imp (442658) | more than 2 years ago | (#40754885)

Breach of security? I'll say!

"I saw his single security report today. Five Slashdot logons, three coffees at Tim Horton's, and twenty seven visits to cockgobblers.com."

Re:Single Sign-On (3, Interesting)

Anonymous Coward | more than 2 years ago | (#40754917)

Most password reset protocols are just a kludgy 'authentication via email' already.

I would've logged in, but I no longer have access to the email account that I used to create my /. account 10+ years ago.

Re:Single Sign-On (1)

GameboyRMH (1153867) | more than 2 years ago | (#40754993)

Yeah I was going to say "the fact that it's a terrible idea" but that hasn't stopped so many other terrible ideas from becoming wildly popular.

A little thing called trust (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40754427)

Who is worthy of yours? I see Facebook SSO everywhere, but I don't want to be any part of Facebook.

Here (5, Funny)

Anonymous Coward | more than 2 years ago | (#40754439)

I'll give you a single sign-on! Send all your login information to me and I'll set something up...

Because it's a terrible idea. (0)

Anonymous Coward | more than 2 years ago | (#40754457)

And most people don't want it.

Re:Because it's a terrible idea. (1)

JcMorin (930466) | more than 2 years ago | (#40754493)

Agree, then this site is compromised or hacked because every site have "access" to it. No having shared logged in with facebook and gmail is already great.

Re:Because it's a terrible idea. (1)

Jeng (926980) | more than 2 years ago | (#40754813)

Yes, but people still want a solution to the issue.

Re:Because it's a terrible idea. (2, Informative)

Anonymous Coward | more than 2 years ago | (#40754935)

There is. Password managers.

Kwallet for example can do this automatically. I don't have to "remember" anything but the single password I encrypted it with. It remembers everything else. All the convenience of single-sign-on, without the problems of a single compromised site leaking all your sign on data to everything, and the problems of tracking.

Re:Because it's a terrible idea. (1)

Krojack (575051) | more than 2 years ago | (#40754831)

I find it to be one of those great ideas that just can't even happen. Mainly as others stated. "Single breach of security."

The same thing that killed 'Passport' (5, Insightful)

0123456 (636235) | more than 2 years ago | (#40754465)

Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.

Re:The same thing that killed 'Passport' (1)

Anonymous Coward | more than 2 years ago | (#40754633)

Actually I recently learned that that if you are running a commerical site you have to pay Microsoft a large yearly fee to use Passport. I can't find it right now but I know it was several thousand a year.

Re:The same thing that killed 'Passport' (1)

residieu (577863) | more than 2 years ago | (#40754861)

But it's nice when I want to comment on an article and I really don't want to sign up for yet another account. I can just give them my spare yahoo account and log in. Yay!

It's a bad idea (1)

Anonymous Coward | more than 2 years ago | (#40754467)

Single sign-on means that if you're compromised once you're compromised everywhere.

Re:It's a bad idea (2, Insightful)

NFN_NLN (633283) | more than 2 years ago | (#40754653)

Single sign-on means that if you're compromised once you're compromised everywhere.

I don't think there is a rule that you have to use a single account. I have multiple gmail accounts to separate hobby sites from work sites, etc.

If you use single sign on for slashdot, gizmodo, etc., I'm not really too concerned. It's not like someone is going to abuse my mod points more than I already do.

For important accounts I'll still use a separate identity/password.

I think there is confusion about SSO being forced for every account.

Re:It's a bad idea (1)

JohnFen (1641097) | more than 2 years ago | (#40754887)

But if you do that, then why not just use a different password for each such group? Passwords aren't that hard.

Re:It's a bad idea (0)

Anonymous Coward | more than 2 years ago | (#40754851)

Instead, I just use 'password99' for everything. Much easier.

Single Sign on aka FB (4, Informative)

Foo2rama (755806) | more than 2 years ago | (#40754477)

FB is becoming more and more of a single sign on.



The real reason holding it back is people that make the websites are either to lazy to include it. ie blogging sites. Or want increased security aka financial sites.

Re:Single Sign on aka FB (3, Informative)

i kan reed (749298) | more than 2 years ago | (#40754563)

Or users who rebel.

Re:Single Sign on aka FB (0)

Anonymous Coward | more than 2 years ago | (#40754639)

I'm not sure it is laziness as much as a general contempt for facebook among the web development community.

Re:Single Sign on aka FB (4, Insightful)

cpu6502 (1960974) | more than 2 years ago | (#40754731)

The real reason is that FB forces me to use my realname, and I don't want to use my realname on a public internet that stores my messages for the next 20, 30, 40 years. I don't want either my employer or some government agency using those posts to develop a profile about me. (Or using them as excuse to reject my resume, or stick me on a Do Not Travel list.)

I get-around the "single login" deficit by using the same name/pass across all websites where I don't care if they get hacked (like posting replies on newspapers). I use a 2nd password for personal websites like email. And a 3rd strong password just for the two banking/stock websites. Nothing gets written down so I don't have to worry about somebody finding my "scrawled passwords" laying in plain sight.

Re:Single Sign on aka FB (1)

Anonymous Coward | more than 2 years ago | (#40754997)

Facebook makes you use your real name? My friend Simon McMonkeypants begs to differ!

Re:Single Sign on aka FB (1)

JohnFen (1641097) | more than 2 years ago | (#40754915)

The real reason is what's been said before: trust. I can't think of any entity that I trust with so much that I'm OK with them knowing when & where I'm logging into something, let alone hold my keys.

er becuase its Microsoft ! (0)

Anonymous Coward | more than 2 years ago | (#40754481)

Would you trust a convicted monopolist with your keys?

Re:er becuase its Microsoft ! (3, Funny)

Damastus the WizLiz (935648) | more than 2 years ago | (#40754509)

Why not, they probably hold your mortgage and your car loan.

Re:er becuase its Microsoft ! (4, Insightful)

TheCarp (96830) | more than 2 years ago | (#40754843)

Go buy my mortgage (sorry no lien on my car), then ask if you can have the keys to my house, see how far that gets you. It will get you told off, shown the bird, and possibly even mooned at that point...what it isn't going to get you, is any keys from me.

More than that.... what do they need the information for? My employer signs my paychecks, few things hold more sway over my life. Do you think that means I emailed my boss my facebook password so he could poke around and see what I am up to in my personal life? No!

The more of such a relationship I have with them, the MORE I feel I want my personal data protected. What if I am gay and they hate homosexuals? What if I am straight and they hate straight people? Maybe they don't like something my wife had to say? Point is, if I have to worry that they might make discriminatory decisions against me, then its best that they don't have information that can be used to make such decisions. Better that they keep a racist on staff who doesn't know the race of the people whose accounts he deals with than find out the hard and long way that I am one of the people he hates.

Rememeber, anything can become illegal/considered imoral/irrationally disliked by any number of people at any time....and if you aren't ever saying or doing anything that couldn't be taken thr wrong way, or expose you to discrimination, then you just are not very interesting...and thats the last thing we should be encouraging as a society.

Re:er becuase its Microsoft ! (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#40754805)

Would you trust a convicted monopolist with your keys?

As opposed to their competition? Uh.. yeah.

Password Hasher (1)

PReDiToR (687141) | more than 2 years ago | (#40754485)

Password Hasher [wijjo.com] could happily provide you with 26 character strong passwords without the hassle of remembering them.

Re:Password Hasher (1)

hobarrera (2008506) | more than 2 years ago | (#40754923)

What happens if I have various PCs? Or if one of my devices doesn't have firefox (ie: webOS)?

Some do (0)

Anonymous Coward | more than 2 years ago | (#40754487)

I noticed some of the sites allows you to link your Facebook and/or Windows Live as your login credentials.

Facebook (1)

verbatim_verbose (411803) | more than 2 years ago | (#40754499)

Facebook has made one of the largest pushes into this area. Has it worked? I'm not sure, just because I tend to prefer to not tie my various accounts to Facebook. I assume some people feel the same way, but I suspect the population at large likes this.

The fact that it's a bad idea? (0)

Anonymous Coward | more than 2 years ago | (#40754503)

Single sign-on is either:
1) Simple, but centralized, prone to tracking and to one-account-to-hack-them all problem.
2) Highly complicated, and thus insecure.

Bad implementations. (1)

karmaflux (148909) | more than 2 years ago | (#40754513)

You either get SIGN IN WITH FACEBOOK, which means you turn all your data over to some retarded megacorporation, or you get SIGN IN WITH SHIBBOLETH, which means you get to spend six years wading through XML and Tomcat stack traces.

Re:Bad implementations. (0)

Anonymous Coward | more than 2 years ago | (#40754601)

SIGN IN WITH SHIBBOLETH, which means you get to spend six years wading through XML and Tomcat stack traces.

I use JA-SIG CAS for my centralized logins. It's a pain to run the server (Tomcat), but the client is simple and very easy to use.

Because it is a horrible idea? (0)

Anonymous Coward | more than 2 years ago | (#40754519)

Why would you want to increase the damage a hacker can do when an account is compromised?

Do really trust all of the corporate parties involved to implement this in a secure manner?

Re:Because it is a horrible idea? (1)

hobarrera (2008506) | more than 2 years ago | (#40754893)

In this case, ignorance isn't bliss. Reading about these [wikipedia.org] sort of protocols might be a good idea.

Three simple words (1)

Anonymous Coward | more than 2 years ago | (#40754523)

What's holding up single sign-on?

Three simple words:

DO NOT WANT

Trust and Compromise (4, Insightful)

harl (84412) | more than 2 years ago | (#40754529)

It's impossible to find someone everyone trusts.

Also what happens once the central repository is compromised?

Re:Trust and Compromise (3, Informative)

hobarrera (2008506) | more than 2 years ago | (#40754867)

If you have something like OpenID, you could set up your own SSO providers.
Face it; average joe uses the same password everywhere, and won't care about the trustability of the service provider.

Re:Trust and Compromise (1)

dkf (304284) | more than 2 years ago | (#40754871)

It's impossible to find someone everyone trusts.

You don't have to trust the same people I do. So long as we can find identity providers who talk compatible protocols so that consumers of identities don't need to care, it doesn't matter. (Note that the majority of providers only really guarantee to tell sites "this is the same person who logged in as that other time" and not any information more than that, such as actual names. For a lot of uses that's good enough, but not all.)

Also what happens once the central repository is compromised?

You'd rather have logins on hundreds of badly-maintained blogs instead of a well-maintained central point with dedicated admins who actually know what they're doing? (You can even run your own "central" point if you want. I don't want to do that for my ID provision needs, but you've got the option with things like OpenID and OAuth.) Outsourcing to a specialist cuts the risk profile.

Re:Trust and Compromise (0)

Anonymous Coward | more than 2 years ago | (#40754955)

>Also what happens once the central repository is compromised?

One Time Passwords, a la Google?

It's already here (4, Informative)

wiggles (30088) | more than 2 years ago | (#40754531)

Facebook, OpenID, Yahoo, AOL, Google, Microsoft - they all support SSO for websites that want to use it. It's just a matter of the individual websites implementing it.

If you notice, Slashdot has even implemented it.

Re:It's already here (1, Funny)

Anonymous Coward | more than 2 years ago | (#40754811)

And yet it has still failed to properly support Unicode.

Re:It's already here (1)

hobarrera (2008506) | more than 2 years ago | (#40754849)

Yes, they all support being SSO providers, but if EVERY service provider provides me with an SSO, but none of them let me log in with a third-party SSO, then I don't have a choice but to have a differente account on each place; a facebook account, a google account, etc.

Re:It's already here (1)

silas_moeckel (234313) | more than 2 years ago | (#40754985)

And if it's google, yahoo, aol or a pile of others they can be used as OpenID. Right now it's pretty much facebook as the holdout as they want all that juicy data. OpenID is the only one in the mix that lets you be in control you can host it on your own site add multipart authentication to it and generally be assured of it's safety as it's completely under your control (as much as anything that relies on DNS is).

Re:It's already here (5, Insightful)

iluvcapra (782887) | more than 2 years ago | (#40754907)

That's the great thing about single sign-ons: there are so many to choose from!

short answer and probably redundant at this point. (1)

stillpixel (1575443) | more than 2 years ago | (#40754553)

Because no one has a truly secure solution that won't be hacked by a 12 year old exposing all of your 'secure' accounts in one step. Right now, as long as you don't use the same login and password for every online account you only suffer minor losses if one account get's hacked. With a single sign on you just reduced their work load to one effort.

My Single Sign On (5, Informative)

SighKoPath (956085) | more than 2 years ago | (#40754555)

I have Single Sign On. It's called keepass.

Re:My Single Sign On (3, Interesting)

TheCarp (96830) | more than 2 years ago | (#40754663)

Yes. Exactly. All the SSO I need.

I have a FB account, but, since when do I trust them to know every single website I go to? You know how many non-FB websites I have EVER logged into with my FB account? 0. Exactly 0.

As far as I can tell, the only reason they offer SSO is so they have yet more info to aggregate and sell. I don't use FB login for the same reason I don't allow my web browser (via requestpolicy) to connect to facebook at all when loading non-facebook sites.

FB doesn't need to know where I go to stream music, it doesn't need to know where I read my news or post my comments, it doesn't need to know jack shit other than what I post on my wall, on facebook.

Re:My Single Sign On (1)

hobarrera (2008506) | more than 2 years ago | (#40754821)

Not really SSO, if I find myself on a trip with a broken laptop, I can't quickly log in from a new one, or from a friends one, I'll need to salvage the data on it first. And since it's the SSO, I can't get a remote backup without it.

Keepass has it's uses; SSO isn't one of them, nor is it a substition for SSO.

Re:My Single Sign On (2)

infogulch (1838658) | more than 2 years ago | (#40754909)

Or LastPass.

I've had single sign-on for years! (5, Funny)

Anonymous Coward | more than 2 years ago | (#40754561)

I simply use the same password for everything! Brilliant, I know!

Go get (0)

Anonymous Coward | more than 2 years ago | (#40754571)

Last Pass

There are a few out there (4, Informative)

JTD121 (950855) | more than 2 years ago | (#40754591)

There's Mozilla's Browser ID [browserid.org] , which is uses nowhere....Google, Yahoo, et al seem to have been 'bundled' into the Disqus 'platform' across various sites. I think it's more that no one wants to give up 'control' of their user data and associated metrics to a single open standard. By forcing users to continue to sign up for their 'services' they get to collect whatever they want through the use of EULAs, ToS', etc. For their own ends, of course.

In the meantime - LastPass! (3, Informative)

Kiaradune (222032) | more than 2 years ago | (#40754607)

In the meantime, check out https://lastpass.com/ [lastpass.com] - you get to use a single password to protect all of your other passwords. You can generate random ones, store the passwords in the cloud, so are accessible by you, anywhere. I cannot do justice here to the security and features offered.

Essentially you visit a site, and LastPass fills in the username/password for you.

Re:In the meantime - LastPass! (2)

Lincolnshire Poacher (1205798) | more than 2 years ago | (#40754735)

LastPass discloses potentially personally-identifying and personally-identifying information only when required to do so by law, or when LastPass believes in good faith that disclosure is reasonably necessary to protect the property or rights of LastPass, third parties or the public at large

The highlighted clause is totally out of order. There is only ever one reason they should release data; when instructed by a lawful legal order.

It Doesn't Work (1)

Russ1642 (1087959) | more than 2 years ago | (#40754623)

I've tried Open ID through Google to sign in to Slashdot but can't get it to work.

Re:It Doesn't Work (0)

Anonymous Coward | more than 2 years ago | (#40754931)

I've been told by people who know more about it than I do that Google's openID implementation has problems. I use launchpad.net as my openID provider and I've never had a problem. I don't log in to slashdot though, so ymmv.

The core problem (4, Insightful)

subreality (157447) | more than 2 years ago | (#40754635)

The technology is already available - OpenID and several other standards are ready to go.

The trouble is that everyone wants to be the ID provider, but no one wants to accept other providers. Passport is a great example - Microsoft wants to be the central gatekeeper. Well thanks, but no, I'd rather run my own, but of course MS won't accept it.

So we're now in a standoff.

Last pass (1)

agoodm (856768) | more than 2 years ago | (#40754647)

I manage my passwords with lastpass. The service that Steve Gibson from GRC has vetted to be safe and secure

Re:Last pass (1)

grqb (410789) | more than 2 years ago | (#40754785)

I love lastpass. No need to remember login info at all (except for your master password). The _only_ problem is when using my phone/ipad, it's a bit difficult to dig up passwords.

Re:Last pass (1)

agoodm (856768) | more than 2 years ago | (#40754841)

$1/month gets you the mobile version... Bookmarklets... Lots of options. Last pass works on every device ive tried it on.

Re:Last pass (1)

kaizendojo (956951) | more than 2 years ago | (#40755005)

Agreed. Love it and well worth the reasonable price. Suck it, Roboform!

Re:Last pass (3, Insightful)

X.25 (255792) | more than 2 years ago | (#40754901)

I manage my passwords with lastpass. The service that Steve Gibson from GRC has vetted to be safe and secure

Hahahaha.

Wait - the same Steve Gibson that insisted raw sockets are security threat, some 10 years ago?

That Steve Gibson?

Hahahahaha.

Standards (0)

Anonymous Coward | more than 2 years ago | (#40754651)

I shouldn't have to link the obligatory XKCD comic (927), but it's all down to standards. Google, Salesforce and a few other important SaaS apps support SAML. If you need form stuffing "HTTP-Fed" and / or SAML then you could use something like Symplified. Otherwise if you're SAML only, use Ping.

Bad idea! (1)

onyxruby (118189) | more than 2 years ago | (#40754677)

This is a really bad idea across the board. First you would have to get a bunch of web sites to agree on a set of standards - really have you looked at what clusterf*ck most standards have turned into? Assuming you can somehow make the first one happen with the blessing of the FSM on the second harvest moon of the year you still have a problem.

You have now just made /any/ website that did somehow join your standard much more profitable. Why? Users are lazy, not only do they share passwords they also typically share user names if they can get away with it.

What's the big deal? Because you find the least secure website that follows your password schema and you crack it. You now have the passwords and user names and email address for a low rent web site. However since your have conveniently set your password tool to share passwords (and assumedly user names that attach to those passwords) you have a bigger problem. Now your black hat is going to take a select few user names and passwords and log into much more valuable websites.

Think of it as cracking the combination to the bank vault by figuring out the combination the bank managers personal bike lock. Bad idea, I hope it dies in a fire.

Lastpass (0)

Anonymous Coward | more than 2 years ago | (#40754681)

There are solutions for SSO such OpenID, etc. but site owners have to make their own choice. There is also the issue of how much do I trust Google/Yahoo/Facebook/OpenID/etc. with allowing access into my system and what ensurances do I have that they won't pull the plug?

Free services could change or disappear and probably won't offer any level of service since it is free unless you pay.

Paying makes it more expensive than just rolling your own.

I use a solution like LastPass to manage it all with easy sync. Again I had to put a lot of trust into them, and they could disappear; but it is free so that is part of the trade off. Users aren't willing to pay much in reality.

SSO simply isn't cheap enough in monetary sense and service availability sense.

Who do you want to hold your data? (3, Interesting)

jellomizer (103300) | more than 2 years ago | (#40754701)

Ok the problem with Single Sign on, is the fact we are all going to choose a company for the SSO.
Do enough of us really trust Microsoft, who has been in the headlines for massive security breaches.
How about Facebook, you know those guys who take your data and sends it to everyone on the face of the earth.
Perhaps Google, You will get targeted adds based on every place you login too.
Open ID, how much do you really trust a bunch of harry toe programmers, who go to these black hat hacking events?

Some distributed architectural system where you can find many points of weaknesses from some armature setup.

That is the problem with Single Sign On. We just don't have any trust, in these sources. And to have one that you trust enough for the rest of the world?

Two solutions already exist (1)

alphax45 (675119) | more than 2 years ago | (#40754707)

1. Facebook connect. Remember that Facebook only knows what you tell it. You could always make an account with only required fields filled out, NEVER use it as intended (set all the security/privacy to the highest and don't every friend anyone, join any groups, or "like" anything), and just use that as your SSO solution. Or if you simply refuse to use Facebook at all: 2. Lastpass. Can't say enough about these guys. It is FREE and just works.

Password Policies (1)

bradgoodman (964302) | more than 2 years ago | (#40754727)

Password policies seem to make the whole point shared in the OP about defaulting to the "Forgot Password" button.

Many people have very secure passwords, and good schemes to secure them, generate unique ones for each site, etc. So if my password for a site is "Lkjsdf834kklLKjlkj90uKLjh89yhLK98" - that could be very secure. But if some arbetrary site as a rule that states "Your password must have a least one punctuation character in it" - it rejects my password. Now, the system I have in place to generate unique, memorable, hard-to-crack passwords can't be used with this site.

Now, I need to generate and remember something special for this site, many of which are silly sites that I don't care about which make me login/register, to which I would never even care if my password was revealed. (Like someone would be able to post a comment on news article under a username that vaugly mimics my real name, etc).

So my point was....(I forgot what it was....)

Re:Password Policies (1)

fahrbot-bot (874524) | more than 2 years ago | (#40754977)

I remember a security class where the instructor talked about how a good pass phrase is more secure than passwords conforming to the usual character-class rules and change frequencies - the latter often providing passwords difficult to remember, etc... His example, the phrase, "My daughter has big brown eyes." is rather secure from guessing and hacking attempts and easy for him remember. Assuming he is careful about sharing and/or surveillance by others, there's no need to change it every N days, or ever. I don't have the stats or math to analyze the merits of this argument, but it seems observationally solid.

SSO is viable... just not well architected (0)

Anonymous Coward | more than 2 years ago | (#40754751)

I use SSO on a daily basis... whether using Google's implementation of OpenID, or Microsoft's LiveID...

unfortunately, what I've seen is that the software architecture for SSO clients tends to blow. Most sites tend to use the highly coupled approach, in which your SSO is mapped one-to-one with your local account/profile.

I keep waiting for a site which supports many-to-many mappings... I should be able to log on with ANY SSO provider (GoogleID, LiveID, FB, my own OpenID, etc)... and I should be able to choose which account/profile I want to use (perhaps I have multiple FB profiles, or multiple email accounts)

it's not hard... I don't know why there hasn't been a single site to support this... but it is what it is.

The answer, and solution, are both simple. (5, Insightful)

Above (100351) | more than 2 years ago | (#40754755)

The answer is easy: Too many eggs in one basket.

That could be one place that if it gets broken into everything is lost, or it could be one entity that knows all the dirty little secrets since they know all the sites that authenticate your identity. It could also just be one entity that must be up and available, which is a tall order.

The solution is simple: Public key cryptography.

Most of the people on /. are probably familiar with ssh. A key is generated on the client end. The public material is put on the server end. If the server is compromised nothing bad happens as the attacker now has a public key they can't use to log into any other service.

There is no technological reason the web can't work the same way. There is a lack of agreement on how to do it that is holding us back, and also a User Interface problem in browsers. However it's not hard to imagine a world where a browser generates a key pair, and during the sign up procedure for a web site it transmits the public material. It looks like single sign on to the user, but they didn't have to trust any third parties, and if the web site is broken into the attacker gets no useful data. It could be implemented with x.509 certificates which browsers already have support for, or it could be done as specific form types and key formatting a-la how ssh does it today. Users could create multiple keys if they wanted, and by syncing the private key material between their devices have passwordless access across all their devices.

A small amount of standards work and UI here could make passwords nearly obsolete. Sysadmins don't use telnet and passwords anymore; we need to upgrade users, and the user tools to achieve the same benefits. Single Sign On, and all of its drawbacks, disappear in the process, a win-win!

Facebook (1)

EmagGeek (574360) | more than 2 years ago | (#40754759)

What's holding it up for me is that most of them want you to use your facebook credentials, so they can post garbage to your wall and harvest your friend lists and emails.

Of course, it's even harder to use it when you are one of the few remaining humans in civilization that doesn't have a facebook account.

Yahoo Has Single Sign On... (1)

Xin Jing (1587107) | more than 2 years ago | (#40754765)

I moved to Google after the collapse of my Yahoo single sign on multiverse. All things became one, which was the security reason why I shut down my Yahoo accounts and left for Google. Yahoo as a web portal has a number of quality services that are linked. If only their privacy options were more robust I might still be there to enjoy them.

-Xin

Facebook SSO / Windows 8 (1)

DeionXxX (261398) | more than 2 years ago | (#40754781)

Facebook is doing SSO really well for stuff that's just not that important. Sign in to random websites/games/apps/forums with a single click.

I wouldn't want SSO for my bank/finances/medical though because of the single point of failure issue.

However, for PC's Windows 8 now allows you to log in with your Windows Live credentials (not sure if you could do this before)... I personally liked that feature since you can log onto different PC's/tablets around the house without reconfiguring things.

Just for intra-organizational sign-ons. (1)

harperska (1376103) | more than 2 years ago | (#40754787)

Single Sign-On technology only makes sense within a single organization. For example, if you get a loan from the same institution you do personal banking with, you may want the convenience of a single sign on to their loan system and their banking system. But in this case, you don't have to worry about privacy issues as it is already the same organization with access to both sets of data, even if they are two different systems in the back-end, possibly due to a corporate merger or something.

However, with cross-organizational single sign-on, it opens up a privacy can-of-worms. On one hand, I don't want to risk the possibility of someone hacking my google/microsoft/facebook/apple/etc. account and gaining access to my financial accounts. On the other hand, I don't want google/microsoft/facebook/apple/etc. to have access to my financial accounts in the first place.

Because everyone want to be the provider (1)

hobarrera (2008506) | more than 2 years ago | (#40754793)

Because everyone want to be the SSO provider.

Basically, we had OpenID. Along came plenty of services which gave you an OpenID account (or something VERY similar), but none of them allow you to log in using a single sign on hosted elsewhere.
Example: Facebook is a SSO. So is google. So are plenty others. But since google wants to be the provider, they won't allow you to log in with facebook's OpenID. The inverse also applies.
In the end, everyone is an OpenID provider, but the only place I can log in with a third-party OID provider, is stackoverflow. And sourceforge, IIRC. Until these huge service providers (google, facebook, twitter, etc) start accepting third-party OpenIDs, this won't change.

For all those non-important signups (2)

dmatos (232892) | more than 2 years ago | (#40754799)

Why don't people just tell their browser to remember their login/pwd information? That's what I do for Slashdot, BoingBoing, fb, lj, gmail, etc.

Bank websites and credit card websites, I still store the passwords in my noggin, but social media? I don't care if someone who's stolen my laptop suddenly can make twitter posts in my name.

Re:For all those non-important signups (2)

Anonymous Psychopath (18031) | more than 2 years ago | (#40754987)

Why don't people just tell their browser to remember their login/pwd information? That's what I do for Slashdot, BoingBoing, fb, lj, gmail, etc.

Bank websites and credit card websites, I still store the passwords in my noggin, but social media? I don't care if someone who's stolen my laptop suddenly can make twitter posts in my name.

Because many people are using multiple devices, in which case they have to store your passwords in "the cloud" with some sort of browser sync. Also, folks are accessing resources with a browser sometimes and apps at other times.

LastPass does a pretty good job of filling in the gaps.

Re:For all those non-important signups (1)

Russ1642 (1087959) | more than 2 years ago | (#40755019)

Google Chrome is a good example of why this is a bad idea. Go into the settings page of your Chrome browser and it'll show you in plaintext all of your stored website passwords. Anyone using your browser can quickly have a peek.

Trust (1)

JDG1980 (2438906) | more than 2 years ago | (#40754817)

There is no company large enough to make a plausible attempt at "single sign-on" that would also be trustworthy enough for most people to give them that level of access. And there probably never will be, since our current system of corporate capitalism not merely permits but actively requires corporations to act in a sociopathic manner.

Single point of failure (1)

misnohmer (1636461) | more than 2 years ago | (#40754819)

If your single sign-on is compromised, the attacker gains access to all your accounts (and potentially locks you out until you can prove it is actually you who owns this single sing-on account and reset it, which is not always possible since there is not much verification at the time of signing up for a single sign-on account).

If you trust your cell phone to do your banking, one solution for you would be to get a password storage application that would encrypt and store (different) passwords to all the websites you visit.

Movng along (0)

Anonymous Coward | more than 2 years ago | (#40754823)

Now you often see sites that will let you sign on with Yahoo, or Facebook, or Passport or something else. So I'd say it's still moving along.

single sign-in = single point of failure (1)

Cyko_01 (1092499) | more than 2 years ago | (#40754825)

"oh shit! firefox(with single sign-in) won't start! I guess I'll have to use internet explorer to check my email. wait, I can't remember my email password anymore because I have been using single sign-on!!!!!"

yea, that sounds like a great idea!(sarcasm)

How Will They Get Paid? (1)

assertation (1255714) | more than 2 years ago | (#40754827)

Someone mentioned the very good point that Facebook is TRYING to become the single signon king. However, nobody trusts Facebook.

It brings up the question of how a single signon organization would make its money.

Nobody would trust it, use it, if it makes its money like FB or Google......basically by selling its users out.

It would have to be some sort of not-for-profit trust that could pay its employees well without having ties to other businesses.

That sounds like the government. I wouldn't want to give my single sign on info to the government or an organization that might be petitioned by the government.

Back to square zero.

Look into Persona (1)

Anonymous Coward | more than 2 years ago | (#40754839)

You don't really want to trust any of the parties offering SSO. A slightly different take on the same space which bears watching is Mozilla Persona [persona.org] (recently renamed from BrowserID). I don't really expect it to catch on, but it might, and it's the only endeavour in this field which has a chance of really tackling the trust issue and offering a useful way forward.

Passpack (1)

andsens (1658865) | more than 2 years ago | (#40754845)

I use passpack. I see a lot of people using lastpass. I honestly think passpack is better.
I began using passpack, switched to lastpass and then switched back to passpack.
How is it going with the implementation of tags over at lastpass? Still using single groups instead?
The cool thing about passpack is the javascript bookmarklet for one click signon, no need for any extension...

Distributed/trusted system (0)

Anonymous Coward | more than 2 years ago | (#40754891)

The real problem with these systems is that they're not distributed; there should be a single sign-on that has several seperated trusted agents. My suggestion, arrogantly submitted, is that chip&pin cards should be used as trusted ID's. As little as I trust banks, they're the only cryptographically secure method of identification that anyone carries. The banks in almost every country are required to positiviely ID cardholders, and SSO systems can validate the banks digital signuature of the logon credential carried by the credit card. I'm sure it's not perfect, but it would be very robust, and allow you, as a website operator, to be able to trust a login credential, and you as a user to have a login credential that requires no more trust in an institution than you already give to that institution. Oh by the way, it also ties, easily that SSO token to your credit card account.

never write down your passwords (1)

Cyko_01 (1092499) | more than 2 years ago | (#40754919)

everybody says you should never write down your password, but all of the sudden it is a good idea to store ALL of your passwords in one place?! encrypted or not, this is just a bad idea

DO NOT WANT (2)

davidwr (791652) | more than 2 years ago | (#40754963)

* I want to keep my identities separate.
* I don't want _SINGLE_SIGNON_PROVIDER_ to have keys to my entire online life.
* I'd rather "spread the risk" of having my login information compromised.

I don't have a common key for my house, office, and car either. Nor do I want one.

No Multiple Single Signons. (1)

Kaenneth (82978) | more than 2 years ago | (#40754991)

I have my personal windows live account, my day job Office 365 user account, and an Office 365 admin account for a friends small business I administrate for him on the side.

Whenever I needed to switch I need to clear my cookies and close all browser windows, then login again. It was a massive PITA.

What I do now is use IE for day job, Firefox for personal, and Chrome for admin; so they each have separate cookie sets.

I probably should switch to separate VMs.

Obligatory xkcd (1)

dontbemad (2683011) | more than 2 years ago | (#40755009)

http://xkcd.com/792/ [xkcd.com] Pretty much sums up my argument against it.

Context sensitive formula for password (1)

Anonymous Coward | more than 2 years ago | (#40755015)

I have one password, but it's unique for every website. That's because my password is a small formula that uses the websites url.

I only need to memorize the formula then look at the url to know what to enter.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>