Security Information Vulnerability Research Security Blog

Finally, a workable approach to web Single Sign On

May 2nd, 2010 by , Filed under: Commentary, Networking, Rootkits, Web


In the last 20 years, practically all the large software vendors came out with Single-Sign-On (previously “PKI”) products that were supposed to give a single login that would give you access to all the resources on the network. As good as this idea sounds, in practice that almost never works. Why Single Sign On constantly fails in corporate environments is a mystery wrapped in an Enigma. But it just doesn’t.

On the web, it seems even more logical that a single login will give you access to all the resources, and yet the situation is even worse. Microsoft, google, yahoo, AOL, and now facebook have all tried their Single Sign On initiatives that ended up having users signing up to 4-5 different ‘single sign on’ services and typically just opting for the only single sign on method that works: Using the same username and password everywhere.

Before you ask, OpenID is not a single sign on solution – it’s an identification service. So with that out of the way, are we doomed to never have a workable option to web single sign on?

Well, it seems the solution was always there: in fact, most of us have been using it for a while. Your browser.

Done well, the browser can keep the username/password combination in a secure place, protected by a single password and encrypted on your hard drive. The only risk is a Trojan using your browser to log into web sites without your knowledge – but that’s a risk you have today with keylogger rootkits, so you are not worse off letting your browser save the password for you.

The only two challenges facing the browsers to truly provide an SSO experience were web sites like paypal that refused to let the browser save username/password information (though you could bypass that restriction with bookmarklets such as “Password Saver” on firefox) and the second challenge was just the convenience of needing to login instead of having the browser login for you, as you’d expect in a “real” SSO.

It seems that firefox has picked up the glove. In a recent blog post (http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/) firefox announced an add on that will handle account management; likely not much different than what is done today, perhaps a bit more extended and automated. Facebook, google and some others won’t be happy about this move, but who cares. The best thing about this method of SSO is that you don’t need the site’s cooperation for it to work. In fact, as long as they don’t actively resist (e.g. by adding CAPTCHA’s) firefox can be the de-facto standard for account management in the not-too-far future.

Share
  • http://www.BuschnicK.net BuschnicK

    The problem with this is that you are screwed when using a different browser or different machine. That happens to me on a regular basis: not remembering my own über secure passwords because my browser usually takes care of it.

  • http://www.ericgoldman.name Eric Goldman

    I think there is a distinction between SSO and password management. Using firefox is a watered down version of a password vault like KeePass. There are also corporate level products that will manage all your passwords for software and systems, update them regularly for you, manage the related policies, etc.

    With SSO you can have a complex policy, require regular changes, and only have to do it in one place. So even if your browser remembers your password, you would still need to go to multiple sites to update your password regularly or in accordance with the site policy. In a true SSO scenaerio, you could have one service update all neccesary authenticator or have one source of authority (e.g., Kerberos).

    Using Facebook connect enabled websites allows you to only manage one identity, and is in some ways SSO. The complexity of password management obviously drops as you have less to remember. So even if you just had google, openid, and facebook – you can log onto a large section of the Internet with only three passwords. You only need to be concerned with the password storage of these services, and can opt for a more complex password.

    While I understand the point above, multiple identities are as big a risk because you are more likely to forget you signed up on that one-off site, and who knows what will happen to the account over time – if it expires, and if someone claims it later and gets your stored password!

  • Share







  • Categories


Security RSS Subscribe