Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy The Internet Businesses The Almighty Buck Your Rights Online

E-commerce Single Sign-On Not Dead Yet 200

FullyIonized writes "A few years ago Microsoft's Passport technology made headlines as Microsoft predicted e-commerce nirvana and conspiracists predicted a new Big Brother. Not to be outdone, Sun spearheaded the Liberty Alliance . Years later, I still don't have a single sign-on, not that that's a bad thing. Enter Andre Durand who started his first business with BBS software, then headed up Jabber, and now has started Ping Identity. The big distinction: the federated identity software is open-source. The Denver Post has the story."
This discussion has been archived. No new comments can be posted.

E-commerce Single Sign-On Not Dead Yet

Comments Filter:
  • by gl4ss ( 559668 ) on Tuesday November 30, 2004 @04:54AM (#10951061) Homepage Journal
    ..single login to phish.

    'nuff said(that's enough, not snuff).
    • The problem with all of this is that all the clients are human and quite simply we make mistakes. I can;t think of a way to keep everything secure with out humans screwing up somwhere causing it to all unravel

    • by IO ERROR ( 128968 ) <error@ioerrorCOW.us minus herbivore> on Tuesday November 30, 2004 @06:37AM (#10951315) Homepage Journal
      single login to phish.

      And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up, that it's impossible for any human to memorize hundreds of usernames and passwords. They all wind up being the same, or very close to the same. Or worse, they get written down on a piece of paper under the keyboard.

      • And how many people use the same username and password everywhere already? There are so many websites out there, each wanting you to sign up,

        Solution: classes of passwords.

        • The stuff that you really care about (your bank account, your login at your computer at home, ...) all gets different passwords
        • The stuff that you care a little bit less about (bug reporting sites for various software, Slashdot, wikipedia, etc.) share a password. Note: when vandalizing wikipedia, you should use different passwords for
        • I only bother with two classes. Slashdot, K5, and my various work accounts are variations of a "standard" password. My financial accounts use entirely different and more secure passwords.
      • "...it's impossible for any human to memorize hundreds of usernames and passwords"

        That's why I use Password Safe [sourceforge.net].

        • ...That's why I use Password Safe [sourceforge.net]....

          Macs under OSX have a thing called keychain which is an encrypted repository for passwords. Normally it uses the account log-in password to unlock, but it can be secured with a seperate password. For many sites, the user gets prompted whether he/she wants to save the password they just created on some site to the keychain. After that, if the keychain is unlocked, the password is supplied automatically if the site is visited again.
      • "it's impossible for any human to memorize hundreds of usernames and passwords"

        Well, there is this nice software named "Gator eWallet" from the folks at Gator who helps you keep you passwords... Try it out! http://www.gator.com/home2.html
      • it's impossible for any human to memorize hundreds of usernames and passwords

        A Secure Keychain
        To make it easy to manage the daunting number of passwords and permissions intrinsic to network computing, Mac OS X includes a Keychain. The Keychain stores all your information to log onto file servers, ftp servers and Web servers and to use encrypted disk images. Mac OS X automatically adds your .Mac account information to your Keychain. When you log in to Mac OS X, the system opens your Keychain. You don't h

    • There's a difference between single sign-on (a fundamentally flawed concept) and having a single set of credentials. In the latter case, the user may be required to enter, say, a PIN code multiple times for multiple applications.

      If you combine this with some sensible physical medium, like a biometric identifier or a hardware token (smart card, etc.) you're not going to be worried about loss of confientiality as much as if you have a single stupid service that just lets you authenticate to everything in on
  • What's wrong with... (Score:5, Interesting)

    by lawpoop ( 604919 ) on Tuesday November 30, 2004 @04:54AM (#10951065) Homepage Journal
    PGP for online transactions? Heck, even stupid stuff like bulletin boards and slashdot. I'm sick of having to make up new user ids and secure passwords for every freakin' site on the web. Why not just let everyone post PGP signed messages?

    Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

    • by onion2k ( 203094 ) on Tuesday November 30, 2004 @05:17AM (#10951137) Homepage
      Seriously, I'm not asking in jest. Is there a problem with the technology as it stands?

      Yes. It'd be a pain in the arse for web developers.

      All these single sign-in systems are made (or broken) by the web developers who implement them in the sites they build. If theres an easy way to integrate the technology into your code quickly and cheaply then people will put it in. If it takes a week of reading docs and another week of coding then its never going to get used by the people who'll be rolling it out onto the net.
    • by otisaardvark ( 587437 ) on Tuesday November 30, 2004 @05:26AM (#10951157)
      These are just observations, and some of them are very overcomeable and possibly stupid.

      Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

      Computation. Especially for bulletin boards - /. has a huge number of comments every day. To PGP-process each one would require much more expense on their side with no obvious benefits.

      Trusted key repositories. If something like this was to become huge then you would need central databases of everyone's public keys (far more scalable than current incarnations). This is tied in with:

      Identity management. There is nothing stopping you from having multiple public/private key combinations. (OK, there is nothing stopping you from having multiple /. accounts). But there are uses where you need uniqueness online. Yes, this is also a problem for any single sign-on scheme. Verification has privacy implications unless handled very carefully.

      Single point of failure. Regardless of how well tested the PGP encryption algorithms are, cryptanalysis will continue. Security should almost always have breadth to increase resilience. To be honest I would probably consider this to be an acceptable risk for non-critical uses.

      Training. In order to be useful a lot of people have to use PGP. The concept of a username/passphrase is far easier to digest than PGP-signing.

      There are probably many other obvious concerns. Note: it could easily become widespread, but I'm just saying that there are issues which need to be addressed.

      • Also remeber most people are idiots and won't want to bother with all that. Most people just want things to work.

      • Identity management:
        I cannot ever see the need for uniqueness online, and in saying that I require is you are asaying that I may ahve intent to commit a crime, which isn't work the risk of your ability to control what I can do.

        Well, you don't need training really, it's all in the software, all my passwords are already encrypted with kwallet, and I expect that if I use kmail it will automaticly sign my emails.

        All I need is for a signiture tag to be added to the xforms or xhtml specification and my
        • Virtually anything 'government'ish will require uniqueness. Getting electronic prescriptions dispensed, online voting, motor vehicle ownership changes, etc.

          Yes, there are civil liberties concerns, and they are very valid. The fact remains that uniqueness is necessary if certain functions are to be carried out online. Therefore PGP signing is not sufficient.

      • IMO, the solution is to make private keys a real physical thing: similar in form factor to a USB key drive. It would store the private key, and have a small CPU that could encrypt/decrypt small messages using that private key. It would not be capable of transmitting the private key itself.

        The masses will never go for private keys that live on hard drives, and a good thing too because they would get compromised all the time! But ordinary people could understand the idea that they need to put a key in the
        • IMO, the solution is to make private keys a real physical thing: similar in form factor to a USB key drive. It would store the private key, and have a small CPU that could encrypt/decrypt small messages using that private key. It would not be capable of transmitting the private key itself.

          Yeah, this idea could work pretty well. You could even put a biometric authentication thing on there (thumbprint or whatever) if you wanted to.

          I remember a story from a few years back about how IBM had made chips like
      • by Anonymous Coward
        I think that I can answer some of your concerns:

        Security of private keys. This is not really different from security of any other 'passphrase' except it is local.

        The distinction is extremely important, because having a local mechanism means that the key owner is autonomously in control of its security, rather than being architecturally obliged to defer security to some third party. If you want to lock the key inside some other security mechanism, such as a biometric token for example, that decision i

  • Ping Identity made simple. [mnginteractive.com]

    Moderate this comment
    Negative: Offtopic [mithuro.com] Flamebait [mithuro.com] Troll [mithuro.com] Redundant [mithuro.com]
    Positive: Insightful [mithuro.com] Interesting [mithuro.com] Informative [mithuro.com] Funny [mithuro.com]

  • About time too (Score:5, Insightful)

    by samael ( 12612 ) <Andrew@Ducker.org.uk> on Tuesday November 30, 2004 @04:57AM (#10951073) Homepage
    There's no way I can keep track of the 200-odd different passwords I have - so they all end up being simple variants of the same one. Federated single sign on would be a boon - if it was handled correctly.
    • Why? (Score:3, Informative)

      by JNighthawk ( 769575 )
      Why do you have so many different passwords? Just come up with a few sufficienly complex ones. I've got 4 different passwords that I use, each having their own "security level". Slashdot is a level 1, since I don't care about someone stealing my account here, whereas my account for World of Warcraft is a level 4 :-P
      • Root in your computer? Level 3? Just kidding... :-D
      • Re:Why? (Score:3, Insightful)

        Well it's a basic rule of security: never use the same password for two different things. If you wow password is compromised for whatever reason, maybe a determined person could log onto your machine with it ? or make bank transactions ? Sure that would require knowing your identity, or ip, but just posting to a web board or chatting on irc with your wow nick could reveal your ip for instance.

        But i agree with you for things where security is not that important (I use the same password for my slashdot acco
      • You may be interested in my Pronounceable Password Generator. [movetoiceland.com]

        I use it to generate easy-to-remember but hard-to-guess passwords. Just run through it a couple times until you find one that suits you.

    • by oexeo ( 816786 ) on Tuesday November 30, 2004 @05:08AM (#10951109)
      > There's no way I can keep track of the 200-odd different passwords I have

      Don't worry, I keep track of all your passwords for you
    • Re:About time too (Score:3, Interesting)

      by Errtu76 ( 776778 )
      May i suggest you take a look at KeePass [sourceforge.net] Store all your passwords in a single database that you can access with either one master-password, or combined with a key-disk that you have to insert first.
      • Re:About time too (Score:2, Interesting)

        by xstonedogx ( 814876 )
        There's also YaPS [msbsoftware.ch] for Palm OS.
    • Re:About time too (Score:3, Insightful)

      by gilesjuk ( 604902 )
      Some OSes/browsers come with a tool to keep hold on them. I'd sooner have that info on my computer than have a single login to all manner of sites.
    • There is software that can do it for you. I'll rather track my password localy then have corporations "sharing" my data.
    • I have a few basic passwords I use for most services - from 'basic' to 'advanced' - and I change them all around occasionally.

      The problem I have is websites with stupid restrictions - e.g. 'your password must be between 6-8 characters' (none of my passwords are), or 'your password must contain at least one capital letter and one number' (my 'secure-by-virtue-of-being-almost-never-used password does not), and so on.

      Forcing people to change passwords every e.g. 60 days is also a terrible idea, because peopl
      • Forcing people to change passwords every e.g. 60 days is also a terrible idea, because people will soon run out of easy-to-remember-yet-secure passwords and will just start incrementing numbers, as some of my coworkers do, which makes things trivial.

        Or they'll write their password on a post-it note and stick it on their monitor.
    • I use a nice application in my Symbian smartphone (a Sony Ericsson P800, but there are versions for Nokia phones too). The app stores login identities and passwords in encrypted form both in the phone and in a desktop computer, and it is possible to synchronize both databases. It is really handy, believe me. The only important password becomes the one to access the application.

      I am sure there are several implementations of the same idea, also for Palm OS and possibly for Windows PDAs too.
    • Password Safe [sourceforge.net] is your friend.

  • by Anonymous Coward on Tuesday November 30, 2004 @04:59AM (#10951081)
    "Kids Passport helps participating sites and services obtain parental consent to collect, use, or disclose a child's personal information. You or your child can register his or her .NET Passport account."

    As opposed to "...will ensure children's personal information is kept confidential...".

  • by Anonymous Coward
    High-stakes venture
    Funding quest a gamble in new Internet economy
    By Ross Wehner
    Denver Post Staff Writer

    Sunday, November 28, 2004 -

    Andre Durand adjusts his black cowboy hat and eyes a roomful of tech-industry players milling around blackjack tables at Broomfield's Omni Interlocken Resort.

    It's casino night at Digital ID World, a high-level Internet conference that costs $1,795 per person. Durand, 36, is a founder of the conference and has a lot riding on it this year.

    He, like many other Internet ent
  • sourceid.org (Score:5, Informative)

    by Ized ( 764731 ) on Tuesday November 30, 2004 @05:03AM (#10951090)
    Incase somebody is wondering where the open-source implementation of Ping ID is hiding, it's here:
    Sourceid.org [sourceid.org]
    • Copy: open-source+implementation of Ping ID
      Google paste: http://www.google.nl/search?hl=nl&q=open-source+im plementation+of+Ping+ID&btnG=Google+zoeken&lr=
      First hit. No, wasn't wondering at all. But thanks for the link anyway.
  • by LeninZhiv ( 464864 ) * on Tuesday November 30, 2004 @05:03AM (#10951092)
    Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

    Greatest unintentional humour of the year!
    • If it is brand new then it is most likely the NGage-QD and that is the coolest combination of cellphone, e-mail device and video game around.

      I think you are referring to the original NGage which is a compelete joke. They are both differently designed machines.

  • Many Linux users view Microsoft as the evil empire.
    Me thinks this Ross Wehner's /. has taken some of our fellow slashdotters too seriously

  • by bjpirt ( 251795 ) on Tuesday November 30, 2004 @05:04AM (#10951096)
    Why is there no link to the actual ping identity website [pingidentity.com] in the submission?
  • A crackers dream (Score:4, Interesting)

    by Underholdning ( 758194 ) on Tuesday November 30, 2004 @05:05AM (#10951099) Homepage Journal
    Hack once, use everywhere.
    Seriously - all the sites that I would trust a single-sign-on thingy already have that. I use the same password at all those less important places. (I'll probably get bashed to hell for this, but I'm sure most of you do the same)
  • Who had attempted top kill it? Or who had declared it dead?
  • by Anonymous Coward on Tuesday November 30, 2004 @05:20AM (#10951143)
    Durand heads to the cocktail bar, reaches behind it and grabs a brand-new $200 Nokia N-Gage. Any self-respecting geek knows it's the coolest combination cellphone, e-mail device and video game around.

    I take ithe authour has never spoken to any geek besides his 12 year old nephew who 'knows computers'
  • SSO in UK (Score:3, Informative)

    by deletedaccount ( 835797 ) on Tuesday November 30, 2004 @05:24AM (#10951149)
    There is a sucessful SSO mechanism used by the education and health sectors in the UK. It has around 3 million users and over 250 target resources. It's called Athens and has been around for years. Eduserv Athens website [athensams.net]
    • Re:SSO in UK (Score:2, Interesting)

      by Anonymous Coward
      There is another interesting project too :-) : Lasso http://lasso.entrouvert.org/ [entrouvert.org]. It is a C implementation of the Liberty Alliance specifications with a lot of bindings (python, java, PHP, C#). I'm one of the developers of Entrouvert http://www.entrouvert.com/ [entrouvert.com], a french free software company. We are trying to offer a free SSO solution. We have also a framework to test it called Souk http://lasso.entrouvert.org/souk [entrouvert.org]. Enjoy with it !
    • by Anonymous Coward
      Our chief SSO is Athens...
      Athens and MS Passport...MS Passport and Athens....
      Our two SSOs are MS Passport and Athens...and Paypal....
      Our *three* SSOs are MS Passport, Athens, and Paypal...
      and an almost fanatical devotion to Bill Gates....
      Our *four* ...no... *Amongst* our SSOs.... Amongst our Single Sign-On solutions...are such elements as...
  • Bad Name (Score:2, Insightful)

    by oexeo ( 816786 )
    Seriously, when you're dealing with security you need to give your service a good title, would you really trust a company called "Ping" to safe-guard your security? OK, you might, but I think a lot of the general public would not.
    • [W]ould you really trust a company called "Ping" to safe-guard your security? OK, you might, but I think a lot of the general public would not.

      Would you really trust a company called "PayPal" to safe-guard your money? OK, you might not, but I think a lot of the general public would.

      "Ping" is no better or worse than the myriad of other contrived names for Internet services.

  • Shrug... (Score:3, Funny)

    by Nijika ( 525558 ) on Tuesday November 30, 2004 @05:40AM (#10951187) Homepage Journal
    Are we that shopaholic in this society that we can't type in a username and password to an online store before we buy buy buy?

    Frankly I -want- to think before I click "purchase". I think the real benefactors of this technology aren't the consumers but stores that can rush you in and out the door as fast as possible.

  • Ho hum.... (Score:4, Insightful)

    by TractorBarry ( 788340 ) on Tuesday November 30, 2004 @05:50AM (#10951209) Homepage
    Single sign on schemes.

    Single operating system monoculture.

    Single biometric identity card/device.

    etc. etc. et-bloody-c.

    All are worthless. Why ? because a single breach and the entire wall falls down.

    And there never has been. nor will there ever be, an uncrackable code/security system. Human(s) devised it. Other human(s) will crack it. Simple as that.

    I also suspect the amount of criminal reward at stake determines the amount of effort the "bad guys" will expend in cracking something and a single sign on for your bank, auction sites, pay pal, email etc. would prove very tempting indeed.

    Personally I'll stick with my current myriad user name, password combinations thanks.
    • Re:Ho hum.... (Score:3, Interesting)

      While I agree with you, some of the principles of the Liberty Alliance are that it is a distributed system. I don't know much about it, honestly, but the list of companies on board are competitors and rivals who certainly wouldn't want to share databases, if they could help it. They wouldn't want Microsoft to hold their data, that's for sure.

  • by Dr Schizzo ( 16907 ) on Tuesday November 30, 2004 @05:53AM (#10951217) Homepage
    Lasso [entrouvert.org] is another free (GPL) implementation of the liberty specs. It is still in heavy development but compatibility against SourceID (PingID solution) has been achieved.

    The great thing in Lasso is the language bindings; PHP, Python, Java, C# (anything .NET actually), integration in existing website is easy (well, it will be much easier when the documentation is completed).
  • by Uukrul ( 835197 ) on Tuesday November 30, 2004 @05:59AM (#10951228)
    E-commerce Single Sign-On exists and it's name is PayPal [paypal.com].
    You can shop in thousands of stores at eBay [ebay.com].
    Even if you are a Slashdot Geek you can use your PayPal acount at Source Forge [sourceforge.net].
    Google search Paypal Donate [google.com] returns a lot of blogs, open source projects and other webs that belive that Paypal it's the Single Sign-On E-commerce solution.

    85 % [yahoo.com] growth and 437.60M revenue says something about it.
    • I don't know what to think about paypal. I once gave them control over one of my bank accounts but after reading all the bad things about them I took it away from them and now have nothing registered to them. Luckily paypal lets unregistered users use their service, however do expect spam whenever you use it from them.
    • Paypal and eBay are nothing but shit. Full of scammers and scammers. Quite honestly, anybody that trusts eBay is a moron. And yes, I am referring to its millions of users. And yes, I am suggesting that millions of people are wrong.

      A real, trustable single login is used by Yahoo. Yahoo has thousands of stores, their own services, and a very impressive, responsive infrastructure that isn't full of thieves (or run by thieves posing a bank).
  • I've done SSO, using both Liberty and not, many times over the past couple of years.

    Generally, between financial applications.
  • by Invalid Character ( 788952 ) on Tuesday November 30, 2004 @06:14AM (#10951262) Journal
    Omelet Du Fromage.
    "Access Denied."
    Omelet Du Fromage!
    "Access Denied."
    Omelet Du Fromage!!!
    "Access Denied: Self destruct mechanism activated...5"

    //Dunno if any of you ever remember/watched dexter's lab?

  • by Tim C ( 15259 ) on Tuesday November 30, 2004 @06:37AM (#10951316)
    Security of the database is. Availability of the source helps to make sure that that has no flaws, but that's useless if an insider rips off a portion of the db to sell to the highest bidder.

    Even ignoring that, they at least have access to statistical and marketing data on who visits what sites when, potentially even how much they spend; that could be quite valuable to the right people.
  • by AndyChrist ( 161262 ) <andy_christ@nOSpam.yahoo.com> on Tuesday November 30, 2004 @06:41AM (#10951325) Homepage
    And tried it, and tried it. Everyone and their cousin set up some "adult verification" affiliate network, to the point where there's so damned many of them, with such scant content you may as well not have any consolidation of logins.

    How is this any different? Why can any of these parties succeed where pornographers have failed? IS MICROSOFT BETTER THAN SMUT PEDDLERS?
  • Shibboleth [internet2.edu], from Internet2, provides much the same, and is being rapidly adopted by Higher Ed and vendors supporting Higher Ed. As SAML 2.0 is adopted, word is that Shib and Liberty Alliance may begin to converge.
  • Identity Commons (Score:4, Interesting)

    by The Pim ( 140414 ) on Tuesday November 30, 2004 @08:19AM (#10951633)
    Not to bang on these guys, but for an open, non-commercial, distributed identity system, with working code, see Identity Commons [idcommons.net].
    • SourceID is open source, but not free. Identity Commons software is FOSS (BSD/GPL) and even more distributed - literally anyone can become an identity broker. It's also based on open, OASIS standards XRI, XDI and SAML. Cool stuff. It's not complete yet, but you can get an i-name now [2idi.com].
  • In "the real world" I have several different ID numbers:
    Bank account number (more than one)
    Credit card number (more than one)
    Employee ID
    Student ID
    Drivers license number
    Supermarket loyaty discount card number
    Blockbuster/Movie Gallery number
    Library Card number
    Auto/Home/Medical insurance ID
    Voter Registration ID
    I think I'm better off having those as separate numbers, and just keeping the cards around so I don't have to remember them. Why should online be any different? Can you imagine a world where all those numbers are the same, and are maybe our telephone number for instance (making everyting easy to remember). Scary.
  • Isn't that becoming somewhat obsolete, now that browsers (like Mozilla) have password managers? I just have one master password for the password manager, and Mozilla remembers all the login info I need. Personally I much prefer that de-centralized approach to having something like Passport. I admit though, that this is not as convenient when you use multiple browsers (e.g. one for work, one for home or one in an internet cafe on vacation).
  • Yeah, this may seem like flame-bait but bear with me.

    The idea of a federated single-sign-on system suffers the problem of trust. I'm supposed to set up my system to trust your sign-on system that vouches for your identity and provides me with user information. Well, how do I know how to trust you? What kind of security, identity checks, and validation routines did you implement? Do you have a system for revoking id's? Do you have a system for checking for bogus id's? Etc, etc, etc.

    There are two prob
  • I've got single sign-on for all my websites through my MacOS X Keychain. I imagine there's a similar facility bundled with or made available for Windows. It works great and I only have to trust myself to keep it secure for me.

    With tools like that, why is there even a market for this thing?

    • I think the market for this is that your OSX Keychain is only on one computer, so if you need to sign on using a friend's computer or a public terminal, you still have to remember all of your passwords.

      Using single sign-on, you could go anywhere, sign into the main site with one password, and all of the other sites would know it was you. It's more of a global keyring, for better or worse.

      Of course, the OSX keychain may have capabilities I'm not aware of... can you put it on a USB key to take around to ot
  • The Denver Post seemed to help Ping hype up its open source roots, but I was at the Digital ID World confrence and the solution that impressed me as both a consumer and site developer was SXIP [sxip.com] (pronounced skip). This is a PKI-like solution where any web sit you log on to can be a Home site and any web site you want to access without loging on to can be a Member site. Once I've logged on to the homesite of my choice, member sites can easily get any info about me that I've allowed from my home site with hom
  • "I'm not quite dead yet"
    "oh you'll be stone dead in a moment"
    "I'm getting better..."
  • I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet [angel.net] asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that
  • The point of this is not actually to have a single sign-on everywhere, like Passport tried to do. The point of this is to have a transitive sign-on, where you can sign-on to a starting web site, and have that web site provide the information you gave it to other sites of your choice. If you're a slashdot user, you could post to groklaw as a slashdot user when you follow a link from slashdot, whether or not you have a groklaw account, and groklaw could verify that you are the slashdot user you claim to be.

  • In the States we've had single sign on for years. We call it our "Social Security Number". Yes, there is legislation that says nobody can ask for it, but it's used for student id's, tax returns, credit information, etc. It's not crackable because there is no password... unless you count the number of companies that ask you for the last four digits of your social security number before they will talk to you.

    We also use "Mother's Maiden Name" as a security mechanism for super-high security things like ban

1: No code table for op: ++post