General discussion


Why single sign-on technologies still aren't a good idea

By debate ·
What's your take on single sign-on technologies? Do you agree with Jonathan Yarden that they present security risks? Are you a Microsoft Passport user? Share your comments about the risks vs. the rewards of single sign-on technologies, as discussed in the Feb. 21 Internet Security Focus newsletter.

If you haven't subscribed to our free Internet Security Focus newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by Jaqui In reply to Why single sign-on techno ...

on the software controlling the single sign on data.

with microsofts lousy security track record, and thousands of known exploits into hotmail, I would never recommend using microsoft passport / hotmail.

since hotmail is the .net passport software in it's fully ignomy.

Collapse -

I've always felt safe with Novell's

by Oz_Media In reply to depends

That's one issue I have never worried about with a Novell environment.

So yes, I feel the technology itself is just fine, MS single sign in MAY be a diferent issue, I would doubt it's security just due to the nature of MS, but I do not know MS security well enough to say for sure.

Collapse -


by Jaqui In reply to I've always felt safe wit ...

local networks, definately single sign in is fine.

from what I saw in the article, it was about single sign in over the inet.
such as microsoft's .net passport.

I would be willing to try novell's security, even over the internet.
or sun's ypserver.

Collapse -

I read it the same way.....(Inet logons)

by dafe2 In reply to for

Unfortunately, a passport is required for many MS services.

I don't like the idea of single logons (Internally) simply because it promotes laziness.

Collapse -

Double edged sword

by Jellimonsta In reply to I read it the same way... ...

SSO is kind of a double edged sword. If you do deploy it, once a malicious user has the 1 password they have access to all of the allowed systems. If you do not deploy it and have multiple passwords, you run the risk of users writing their passwords down on sticky notes and fixing them to the keyboard/monitor. Wherein lies the biggest security threat? I guess it comes down to the environment and office culture. IMHO

Collapse -

Drop all the way out

by jdgeek In reply to Why single sign-on techno ...

Have you heard of a company called choicepoint? People are collecting this information about you whether you use your credit card on ebay, or at your local sizzler.

If you want to truly protect your information rather than forwarding plattitudes, you should move to a potato farm in Idaho, and turn off all of your services. Phone, power, and cable are for wimps anyway.


Collapse -

Why single sign-on technologies still aren't a good idea

by d.oltmann In reply to Why single sign-on techno ...

Makes sense to me.

Collapse -

be careful of what you ask for.

by myronjc In reply to Why single sign-on techno ...

While there are significant privacy issues to deal with in a public single sign on system, there is another consideration, liability. Corporations which ask for more information than what is needed to provide a specific service are just asking to be sued when their system fails (not if, but when) and private data is released to unauthorized entities.

Collapse -

SSO and Passport aren't the same

by cbaudoin In reply to Why single sign-on techno ...

I agree with Mr. Yarden that there are significant issues in entrusting personal information to external parties for the purpose of having them vouch for my identity when I connect to third parties. However, this is not, per se, the nature of single sign-on (SSO) and there are other ways to achieve this.

Basically, in the absence of SSO, we have to log in to various web sites or services (e-mail servers, etc.) all the time, often repeatedly because some have built-in timeouts, and because of the number of passwords we handle, we take a variety of risky measures:
- write the passwords down somewhere
- use the same passwords for many sites
- use some "keychains" of unproven robustness (personally, I don't know how I could do without PasswordSafe in my task bar, but is it really safe? I don't know).

I think that what we really need is SSO technology that does not require depositing confidential information elsewhere, outside of our control. This is possible -- but then it requires a physical key (could be a small device you plug into a USB port) that, when interrogated by a piece of software, prompts the user for a single private password, then delivers to the requesting web site or application the proper username/password pair for that application. Think of the way Netscape asks you if you want to remember the username/password pair for a site you visited, and stores it in its own files. Instead, it would encrypt this information using my public key, store it in the device, and ask me to unlock it later using my private key (so I'm assuming some sort of PKI here).

There are pros and cons, like with any solution: I could use my SSO "passport" on any machine that has a USB port... provided that the plug-in exists (so this scheme would have to become a sort of standard for browser plug-ins) and that I didn't forget the device at home. If I wanted the information to be "recoverable" without having the physical device, then we get back to square one: I'd have to accept to deposit the content of the device (all my passwords, encrypted with my public key) on someone's server, and trust that the scheme can't be broken.

Collapse -

Good Points

by 1DaveN In reply to SSO and Passport aren't t ...

I agree with this idea - I like the security provided by a USB key and PIN or password. I'm less worried about the personal information in my Passport account (essentially none), than I am the widespread access that would be granted to someone who stole my Passport password. A two-factor solution solves this problem nicely, while adding an additional layer of security to whatever information I've provided.

Related Discussions

Related Forums