E-commerce Single Sign-On Not Dead Yet 200
FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."
single logon means.. (Score:4, Insightful)
'nuff said(that's enough, not snuff).
Re:single logon means.. (Score:2)
Rus
Re:single logon means.. (Score:5, Insightful)
And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.
Re:single logon means.. (Score:3, Interesting)
Solution: classes of passwords.
Re:single logon means.. (Score:2)
MSIE-only banks (Score:2)
Sure, here is one example: Banque Générale du Luxembourg [www.bgl.lu]. Click on the Web Banking link, chose a language, and weep :-(
If you read French (or German), click FR or DE, and look at their slogan (top left of page), and snicker ;-) (The English version is less funny).
Actually, most banks in Luxembourg are MSIE only (or do need some trickery and/or alternative login pages to get access).
Re:single logon means.. (Score:2)
That's why I use Password Safe [sourceforge.net].
Re:single logon means.. (Score:2)
Macs under OSX have a thing called keychain which is an encrypted repository for passwords. Normally it uses the account log-in password to unlock, but it can be secured with a seperate password. For many sites, the user gets prompted whether he/she wants to save the password they just created on some site to the keychain. After that, if the keychain is unlocked, the password is supplied automatically if the site is visited again.
Re:single logon means.. (Score:2, Funny)
Well, there is this nice software named "Gator eWallet" from the folks at Gator who helps you keep you passwords... Try it out! http://www.gator.com/home2.html
Re:single logon means.. (Score:2)
A Secure Keychain .Mac account information to your Keychain. When you log in to Mac OS X, the system opens your Keychain. You don't h
To make it easy to manage the daunting number of passwords and permissions intrinsic to network computing, Mac OS X includes a Keychain. The Keychain stores all your information to log onto file servers, ftp servers and Web servers and to use encrypted disk images. Mac OS X automatically adds your
Re:single logon means.. (Score:2)
I really hope your not a network admin, because if you are, then your users are screwed
Re:single logon means.. (Score:2)
If I found a colo company writing a password down, I'd never touch them with a 100 foot cat5 lead.
Re:single logon means.. (Score:2)
Re:single logon means.. (Score:3, Insightful)
Re:single logon means.. (Score:3, Insightful)
The risks from the latter are known, can be evaluated and can be stopped. They pretty much boil down to stopping anyone else seeing the paper before you destroy it and trusting your staff. The risks from the former are unknown, how many holes are there in your network & software.
I'm not sure what you mean by "protected database". They can't use one-way encr
Re:single logon means.. (Score:2)
If you combine this with some sensible physical medium, like a biometric identifier or a hardware token (smart card, etc.) you're not going to be worried about loss of confientiality as much as if you have a single stupid service that just lets you authenticate to everything in on
Re:single logon means.. (Score:3, Interesting)
Re:single logon means.. (Score:5, Insightful)
Why not?
Seriously, why not. It would be easy enough to add the ability to specify an extra password for certain accounts. If that's not in the various solutions that are currently available, that's a weakness in the *solutions*, not the concept. I couldn't find any information explaining if SAML or Ping's implementation included this capability or not. If they do not, then it should be added.
Frankly, for most sites with passwords, I don't really need a password at all. For example, with
Re:single logon means.. (Score:2)
That's generally not how these things work. I have had single sign on capability with networks previously. While they let me log in to my desktop from multiple computers, they didn't include admin access to that box, just access to personal information.
Any model that does allow this (e.g. this often occurs in Microsoft Active Directory networks) would be fundamentally broken. However, that is a problem w
Re:single logon means.. (Score:2)
Re:single logon means.. (Score:3)
I think most people would read it as I did, considering that you quoted "How is this less security" in your post rather than "most users will have the same user/pass combination for most if not all their logins." Something like 'I think SSO is actually more secure, because...' might have clarified your post (or I may still be missing your point). Further, the same objection applies.
If someone uses the same password for admin on their box as they do on throwaway sites (NY Time
Re:single logon means.. (Score:2)
Granted.
What's wrong with... (Score:5, Interesting)
Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?
Re:What's wrong with... (Score:4, Insightful)
Yes. It'd be a pain in the arse for web developers.
All these single sign-in systems are made (or broken) by the web developers who implement them in the sites they build. If theres an easy way to integrate the technology into your code quickly and cheaply then people will put it in. If it takes a week of reading docs and another week of coding then its never going to get used by the people who'll be rolling it out onto the net.
Re:What's wrong with... (Score:5, Insightful)
Security of private keys. This is not really different from security of any other 'passphrase' except it is local.
Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.
Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:
Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.
Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.
Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.
There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.
Re:What's wrong with... (Score:2)
rus
:What's wrong with... (Score:2, Interesting)
I cannot ever see the need for uniqueness online, and in saying that I require is you are asaying that I may ahve intent to commit a crime, which isn't work the risk of your ability to control what I can do.
Training:
Well, you don't need training really, it's all in the software, all my passwords are already encrypted with kwallet, and I expect that if I use kmail it will automaticly sign my emails.
All I need is for a signiture tag to be added to the xforms or xhtml specification and my
Re::What's wrong with... (Score:2)
Yes, there are civil liberties concerns, and they are very valid. The fact remains that uniqueness is necessary if certain functions are to be carried out online. Therefore PGP signing is not sufficient.
Private "keys" as real keys (Score:3, Insightful)
The masses will never go for private keys that live on hard drives, and a good thing too because they would get compromised all the time! But ordinary people could understand the idea that they need to put a key in the
Re:Private "keys" as real keys (Score:2)
Yeah, this idea could work pretty well. You could even put a biometric authentication thing on there (thumbprint or whatever) if you wanted to.
I remember a story from a few years back about how IBM had made chips like
Re:What's wrong with... (Score:2, Insightful)
Security of private keys. This is not really different from security of any other 'passphrase' except it is local.
The distinction is extremely important, because having a local mechanism means that the key owner is autonomously in control of its security, rather than being architecturally obliged to defer security to some third party. If you want to lock the key inside some other security mechanism, such as a biometric token for example, that decision i
Ping Identity Made Simple (Score:2, Informative)
Moderate this comment
Negative: Offtopic [mithuro.com] Flamebait [mithuro.com] Troll [mithuro.com] Redundant [mithuro.com]
Positive: Insightful [mithuro.com] Interesting [mithuro.com] Informative [mithuro.com] Funny [mithuro.com]
Re:Ping Identity Made Simple (Score:2)
Check out the i-Name [idcommons.net] initiative at Identity Commons [idcommons.net]. It's standards-backed by XDI [xdi.org].
About time too (Score:5, Insightful)
Why? (Score:3, Informative)
Re:Why? (Score:2)
Re:Why? (Score:3, Insightful)
But i agree with you for things where security is not that important (I use the same password for my slashdot acco
Re:Why? (Score:2)
Re:Why? (Score:2)
I use it to generate easy-to-remember but hard-to-guess passwords. Just run through it a couple times until you find one that suits you.
Re:About time too (Score:5, Funny)
Don't worry, I keep track of all your passwords for you
Re:About time too (Score:3, Interesting)
Re:About time too (Score:2, Interesting)
Password managers (Score:2)
One for Windows (I'm sure there are more)
One for Palm (I'm sure there are more)
One for Linux/Gnome
One for Linux/KDE
Plus I use a thing called pwsafe, which I believe may be a back-level KeePass, which runs on command line under Linux.
NONE of these buggers are multi-platform. I've seen a package called Strip for Palm, and there's a read-only perl library to read the database under Linux. But it's not full-function dual, let alone multi-platform.
I want som
Re:Password managers (Score:2)
GnuPG runs on many platforms [gnupg.org].
Re:About time too (Score:3, Insightful)
Re:About time too (Score:2)
Re:About time too (Score:2)
Re:About time too (Score:2)
Re:About time too (Score:2)
The problem I have is websites with stupid restrictions - e.g. 'your password must be between 6-8 characters' (none of my passwords are), or 'your password must contain at least one capital letter and one number' (my 'secure-by-virtue-of-being-almost-never-used password does not), and so on.
Forcing people to change passwords every e.g. 60 days is also a terrible idea, because peopl
Re:About time too (Score:2)
Or they'll write their password on a post-it note and stick it on their monitor.
Re:About time too (Score:2)
I am sure there are several implementations of the same idea, also for Palm OS and possibly for Windows PDAs too.
Re:About time too (Score:2)
Password Safe [sourceforge.net] is your friend.
.NET Passport helps you sell out your children (Score:5, Interesting)
As opposed to "...will ensure children's personal information is kept confidential...".
Whore-free article text (Score:2, Informative)
Funding quest a gamble in new Internet economy
By Ross Wehner
Denver Post Staff Writer
Sunday, November 28, 2004 -
Andre Durand adjusts his black cowboy hat and eyes a roomful of tech-industry players milling around blackjack tables at Broomfield's Omni Interlocken Resort.
It's casino night at Digital ID World, a high-level Internet conference that costs $1,795 per person. Durand, 36, is a founder of the conference and has a lot riding on it this year.
He, like many other Internet ent
sourceid.org (Score:5, Informative)
Sourceid.org [sourceid.org]
Re:sourceid.org (Score:2)
Google paste: http://www.google.nl/search?hl=nl&q=open-source+i
First hit. No, wasn't wondering at all. But thanks for the link anyway.
Funniest part of the article (Score:5, Funny)
Greatest unintentional humour of the year!
Re:Funniest part of the article (Score:2)
I think you are referring to the original NGage which is a compelete joke. They are both differently designed machines.
Re:Funniest part of the article (Score:2)
Who has heard of this? Why is it that they bought the farm with rediculous marketing for the first NGage, and then they forget to tell anyone about the second? Amazing.
M$ is evil (Score:1)
Me thinks this Ross Wehner's
Here's how it actually works (Score:5, Informative)
A crackers dream (Score:4, Interesting)
Seriously - all the sites that I would trust a single-sign-on thingy already have that. I use the same password at all those less important places. (I'll probably get bashed to hell for this, but I'm sure most of you do the same)
Question: (Score:2)
The article just lost any credibility it had (Score:3, Funny)
I take ithe authour has never spoken to any geek besides his 12 year old nephew who 'knows computers'
SSO in UK (Score:3, Informative)
Re:SSO in UK (Score:2, Interesting)
NOBODY expects the Spanish Inquisition! (Score:2, Funny)
Athens and MS Passport...MS Passport and Athens....
Our two SSOs are MS Passport and Athens...and Paypal....
Our *three* SSOs are MS Passport, Athens, and Paypal...
and an almost fanatical devotion to Bill Gates....
Our *four*
Bad Name (Score:2, Insightful)
Re:Bad Name (Score:2)
Would you really trust a company called "PayPal" to safe-guard your money? OK, you might not, but I think a lot of the general public would.
"Ping" is no better or worse than the myriad of other contrived names for Internet services.
Re:Bad Name (Score:2)
Shrug... (Score:3, Funny)
Frankly I -want- to think before I click "purchase". I think the real benefactors of this technology aren't the consumers but stores that can rush you in and out the door as fast as possible.
Re:Shrug... (Score:2)
Ho hum.... (Score:4, Insightful)
Single operating system monoculture.
Single biometric identity card/device.
etc. etc. et-bloody-c.
All are worthless. Why ? because a single breach and the entire wall falls down.
And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.
I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.
Personally I'll stick with my current myriad user name, password combinations thanks.
Re:Ho hum.... (Score:3, Interesting)
While I agree with you, some of the principles of the Liberty Alliance are that it is a distributed system. I don't know much about it, honestly, but the list of companies on board are competitors and rivals who certainly wouldn't want to share databases, if they could help it. They wouldn't want Microsoft to hold their data, that's for sure.
Another free Liberty implementation (Score:3, Interesting)
The great thing in Lasso is the language bindings; PHP, Python, Java, C# (anything
E-commerce Single Sign-On: Paypal (Score:3, Insightful)
You can shop in thousands of stores at eBay [ebay.com].
Even if you are a Slashdot Geek you can use your PayPal acount at Source Forge [sourceforge.net].
Google search Paypal Donate [google.com] returns a lot of blogs, open source projects and other webs that belive that Paypal it's the Single Sign-On E-commerce solution.
85 % [yahoo.com] growth and 437.60M revenue says something about it.
Re:E-commerce Single Sign-On: Paypal (Score:2)
Re:E-commerce Single Sign-On: Paypal (Score:2)
A real, trustable single login is used by Yahoo. Yahoo has thousands of stores, their own services, and a very impressive, responsive infrastructure that isn't full of thieves (or run by thieves posing a bank).
I've done SSO (Score:2)
Generally, between financial applications.
Omelet Du Fromage (Score:3, Funny)
"Access Denied."
Omelet Du Fromage!
"Access Denied."
Omelet Du Fromage!!!
"Access Denied: Self destruct mechanism activated...5"
GRRRRRRR!!!! OMELET DU FROMAGE!!
"...4"
OMELET DU FROMAGE!!
"...3"
OMELET DU FROMAGE!! OMELETE DU FROMANGE !!
"...2"
OMELET DU FROMAGE!! OMELETE DU FROMANGE !! OMELETE DU FROMANGE !!
"...1"
KABOOOOOM!!!
Availability of the source isn't the issue (Score:3, Insightful)
Even ignoring that, they at least have access to statistical and marketing data on who visits what sites when, potentially even how much they spend; that could be quite valuable to the right people.
Porn tried this... (Score:4, Funny)
How is this any different? Why can any of these parties succeed where pornographers have failed? IS MICROSOFT BETTER THAN SMUT PEDDLERS?
Shibboleth (Score:2)
Re:kerberos already supports cross domain auth. (Score:2)
Shib's Identity Provider runs under Tomcat (and probably other J2EE containters), and Service
Identity Commons (Score:4, Interesting)
Re:Identity Commons (Score:2)
Why do we need a single sign on anyway? (Score:4, Interesting)
SSN
Bank account number (more than one)
Credit card number (more than one)
Employee ID
Student ID
Drivers license number
Supermarket loyaty discount card number
Blockbuster/Movie Gallery number
Library Card number
Auto/Home/Medical insurance ID
Voter Registration ID
I think I'm better off having those as separate numbers, and just keeping the cards around so I don't have to remember them. Why should online be any different? Can you imagine a world where all those numbers are the same, and are maybe our telephone number for instance (making everyting easy to remember). Scary.
Mozilla (Score:2)
OSS vs trust (Score:2)
The idea of a federated single-sign-on system suffers the problem of trust. I'm supposed to set up my system to trust your sign-on system that vouches for your identity and provides me with user information. Well, how do I know how to trust you? What kind of security, identity checks, and validation routines did you implement? Do you have a system for revoking id's? Do you have a system for checking for bogus id's? Etc, etc, etc.
There are two prob
Authentication is the issue (Score:2)
You have to either trust the other party's authentication process or you have to do it yourself. In a distributed system you have to trust the other party. This means that the technology used to send the authentication information is really a minor issue in the process.
I remember back when we looked at VeriSign to be a certificate authority for our company and they talked about all of their physical security, the sign
keychain? (Score:2)
With tools like that, why is there even a market for this thing?
Re:keychain? (Score:2)
Using single sign-on, you could go anywhere, sign into the main site with one password, and all of the other sites would know it was you. It's more of a global keyring, for better or worse.
Of course, the OSX keychain may have capabilities I'm not aware of... can you put it on a USB key to take around to ot
SXIP - A better open source solution (Score:2, Informative)
OBG MONTY PYTHON (Score:2)
"oh you'll be stone dead in a moment"
"I'm getting better..."
Simple unique password generation (Score:2, Interesting)
Not "single" sign-on, transitive sign-on (Score:2)
T
Single Sign On has been around for years (Score:2)
We also use "Mother's Maiden Name" as a security mechanism for super-high security things like ban
Re:Generating Passwords Using MD5 (Score:2, Funny)
It was fairly uncrackable password generation method, until you told *everybody!*
Re:Sorry, some of you /.'s have not got a clue (Score:2, Funny)
My root password is the name of my pet.
Of course my macaws name is Q!7h}i2/@1u4 and changes every 30 days.
Re:Korean joke (Score:2)