We Need a Different Single Sign-On Solution

Posted on April 12, 2002

in Commentary & Society

by Matt Liotta (DevilM)

Rated 3.88 (Ratings: 8) (Add your rating)

Want more?

More articles in Commentary & Society
More articles by DevilM

Matt Liotta

Member info | Full bio

User since: March 11, 2002

Last login: March 11, 2002

Articles written: 6

I have been talking about what is wrong with single sign-on (SSO) solutions for a while apparently to no avail as more and more vendors role out new solutions based on the same flawed model. This seems to indicate that maybe Microsoft is correct; maybe people do want SSO. That is the ability to login to a single place, but be authenticated at multiple.

Convenient, but is it secure?

Certainly SSO is more convenient, but at what cost? Do you want Microsoft to know every web site you login into? Before answering that, realize that Passport isn’t the only game in town. The liberty alliance started by Sun plans to offer an alternative to Passport. However, the same question comes to mind, do you want Sun or whoever is part of the liberty alliance to know every web site you login into?

And it's not just your privacy at risk, it's your identity as well. Just think, if Passport allows you to log into a single place to identify yourself for all its participating services, then your Passport account is your identity. If someone else breaks into your Passport account, he or she can now access any of the participating services as YOU.

I guess I accepted a long time ago the need to remember multiple usernames and passwords. For me it was never a question of my privacy or my identity, it was simply the way the world worked. Unfortunately, it would appear that too many others want the convenience of a SSO solution. If the technology exists to offer a SSO solution, so that remembering multiple usernames and passwords is outdated, why can’t I have a solution that protects my privacy and my identity?

A Single Sign On Solution?

In the spirit of the geek ethic, let me propose a solution to the problem I have pointed out. It seems to me that I would be less concerned about my privacy and better equipped to protect my identity if the central service I logged onto was on my local machine.

In fact, the OS on my machine, Mac OS X, already has something close called the keychain. It allows me to store multiple usernames and passwords in a local database securely. I am already able to use this keychain to automatically login me into certain web sites that use HTTP authentication.

Unfortunately, most web sites do not use HTTP authentication. Most web sites simply serve an HTML form to their users that contain fields for their username and password. After submitting the form, the user is then given some piece of data to uniquely identify their authenticated session often in the form of a cookie.

Solution Dependencies

Now if someone would publish some sort of specialized API for my keychain and a web site to exchange authentication information than I could have my solution. I would login into my machine and my keychain would take care of logging me into whatever remote services I wanted to use that supported this specialized API I am proposing. These remote services don’t even have to be web sites. I already use my keychain to automatically log me into my various POP3 accounts.

This local keychain solution would seem to solve both of my issues with Passport and the like. It protects my privacy because it is my local machine logging into these remote services not some company’s server acting on my behalf. Further, it protects my identity in that someone would have to log into my local machine in order to access my keychain. And, I feel pretty confident that I can protect my local machine from people who shouldn’t be logging into my machine under my account.

There is one problem with this proposed solution however. If I don’t have access to my local machine than I can’t use the keychain. If I wanted to use my keychain for example on some web terminal at the airport for instance I would be out of luck. A possible answer may be found in Sony’s Memory Stick® technology. What if I stored my keychain on a Memory Stick? I could then take my keychain with me wherever I go maybe even attached to my actual keychain.

Likely there are smarter people than me who can come up with a better solution. However, I have yet to see a published solution that offers the convenience of SSO, while still protecting my privacy and my identity.

Bottom-line: Passport does more harm than good and we need a different SSO solution.

Matt Liotta started his development career at the age of twelve by building C applications for faculty at Emory University. He built his first web page soon after the release of Mosaic 1.0. Excited by early web applications, Matt saw the potential to replace legacy client server applications. At Emory University he built an enterprise calendaring system, the faculty poster project, a Y2K compliance tracking application, and a prototype for an electronic research administration system.

Since then he worked with an early ASP, Cignify, to build their transaction processing system for payroll time data. For this project, Matt created a message queuing system to connect significant bodies of code in C++ and VB with the main application server. He also built a code distribution system for Consumer Financial Networks, as well as the first online account management system for Grizzard Communications. Matt did consulting around San Francisco for companies such as Williams Sonoma and Yipes Communications.

Soon after, he built gMoney's Group Transaction System using an innovative XML messaging architecture for ColdFusion that matches conceptually with the now popular web services paradigm. He also wrote a C++ knapsack algorithm to realize nearly a 20-fold improvement over a similar approach written entirely in CFML. Later at TeamToolz, he designed a highly secure and scalable network architecture for ColdFusion to support N-tier transport agnostic distributed applications. He then went on to implement a cutting-edge content management system for DevX. He is now President & CEO of Montara Software, which he recently founded.

Matt is also a frequent speaker on web architecture:

Moving Legacy Applications to the Web (Emory Web Developers Users Group, Atlanta --Feb, 98)
The Benefits of Web-based Enterprise Calendaring (Emory Web Developers Users Group, Atlanta -- Aug, 98)
Monitoring and Managing Services Remotely Using TAPI (Atlanta Visual Basic Users Group, Atlanta -- Nov, 99)
Scalable, Extensible Cold Fusion Architecture (Bay Area ColdFusion Users� Group, San Francisco; Aug, 00)
Scalable, Extensible Cold Fusion Architecture II (CF_Scale Conference, Washington, D.C. -- Nov, 00)
Cold Fusion Scalability Panel (CF_Scale Conference, Washington D.C. -- Nov, 00)
Introducing CF Espresso (including white paper) (CF_South Conference, Orlando -- Feb, 01)
Utilizing Reverse Proxies (Web Services World, San Jose -- Apr, 01)
Cold Fusion on Linux (A CF Odyssey Conference, Washington, D.C. -- Jun 01)
Architecting Web Services (Web Show 2001, San Francisco -- Sep, 01)
Code Techniques in MX Panel (Bay Area ColdFusion Users' Group, San Francisco -- Jul, 02)
ColdFusion Cruise, May, 03

10 comments on this article. Log in to add your comment | Rate this article:

I totally agree

Submitted by Anenga on April 13, 2002 - 15:41.

The current SSO solutions are horriable. Yes, I would suspect that people would not want Microsoft knowing where they are logging into. And there are dangers using an SSO, if someone gets your username and password your pretty much screwed. (Though, I bet alot of people use the same user/pass on every site they become members to)

An alternative, I believe, would be something like Mozilla has. A good system where it tracks your login's for you. Except, though, you can't use one username/password.

I think Browsers need to work with Web Developers alot more. They should have something built in where you login with your username and password, then when you go to sites it can use a server side programming langauge to log you in with that username and password. Though, security would be a big issue because they could just store your username and password easily.

I propose that somebody (Microsoft or Sun or someone else) create a new language that allows you to use a SSO solution. However, keep it free and open sourced (well, not the user/pass databases anyways :P). Then, you could use global variables like "$Passport[UserName]" "$Passport[UserPass]" etc on websites maybe in PHP or something. Allow them to print the variables, but not store them on the server.

Oh, BTW, the Sun Solution they were talking about is Liberty. Which, also, Web Developers have to pay to use also :/

Gator? + solution (sort of) to fake form problem

Submitted by skunk on April 14, 2002 - 03:27.

Amusingly enough isn't that what Gator (the infamous spyware) started off as? I seem to remember it called itself a "password manager" and offered to remember all of your different passwords for you. That said, just because it happened to form the root of the most infamous spyware on the net doesn't invalidate your idea.

The big downside to a locally supported password management system, as you pointed out, is the problem of access from another machine. I don't know that memory sticks would provide a good solution - I want my passwords with me without having to remember my memory stick AND be sure the computer I am logging on for has the hardware to support it. I woiuld prefer a software solution of some kind where your passwords are hosted on a server somewhere, but (crucially) there is no "single" central server. Instead how about an open source server package which anyone can install on a server which implements a specific API (and some hefty security) and can be logged in to using a very simple client package (in the form of a browser plugin or something). That way you control where your passwords are stored (if you're paranoid you can host them on your own secure box somewhere) and you can access the whole lot from anywhere in the world.

Incidentally, in response to your other article explaining that simple but effective way of stealing passwords via faked forms I put together a Mozilla add-on which pops up an alert if the URL you are visiting contains a username of more than 10 characters (I know there are plenty of other problems with SSO but it's good to have a bit of extra peace of mind). There are also several bugs about this in Bugzilla, and it looks likely to be added in to the main browser for Mozilla 1.01. I'd distribute my solution as a temporary fix but it's a pretty cludgy hack (installation basically consists of install Mozilla browser gestures and copy+pasting some extra code in to one of the javascript files for that). If I ever work out how to use Mozilla's XPI plugin installer I'll package it up like that.

USB memory keys are better than 'memory sticks'

Submitted by androse on April 14, 2002 - 09:38.

Memory Stick readers aren't very common yet. But there are many USB devices that do just the same thing. Some need to have a driver installed, some (more expensive) don't. So you could use them on any computer with a USB port : a pretty universal solution. There are other nifty devices available, like the Java Ring : includes a processor and a JVM on a (fat) ring !

more passport...

Submitted by Junglee on April 15, 2002 - 08:33.

Anenga :

I propose that somebody (Microsoft or Sun or someone else) create a new language that allows you to use a SSO solution.
microsoft actually has a passport sdk api set which allows anyone to implement passport ssi on their server, the minimum requirement is iis4. http://www.passport.com/directory has a list of websites which incorporate this sdk...

I dont like the idea of givin any of my info to microsoft so do a lot of other people, what i read some where was that microsoft in the next version of passport (hailstorm) is coming up with some kind of distributed authentication mechanism (based on active directory) which corporates can use, for the simple reason that if I was in company abcd then i would like to manage my authentication myself with my abcd.com email address and the passwords etc. residing with me. Dont know if any corporates would be really queing at their door though...

there is a site called xns.org which proposes a similar SSO , i dont know if they have any subscribers at all....

hailstorm? what hailstorm?

Submitted by jeduthun on April 15, 2002 - 12:53.

For those who don't already know, Microsoft is reportedly giving up on Hailstorm.

Real SSO needs S (as in servers)

Submitted by teradome on April 15, 2002 - 13:36.

There are certainly ways to do it yourself—you can use a secondary keychain but store it on your iDisk for access on any other Mac. Or you could even use Web Confidential which supports the keychain, does Blowfish encryption, can do auto-fill-in forms in the browser, and can do the iDisk file access automatically.

It's a single platform solution tho', so it's not for the mainstream. It doesn't supply the real meat of a SSO which is to get multiple sites working together, like a eBay purchase with one-click passthru to PayPal to complete a transaction. It's not available now, AFAIK, but these are the kinds of solutions the services will be looking to do with such a technology. Makes the shopping simpler, which in turn spurs on more shopping.

The simplest and most secure solution I've seen so far has been using passwords stores on a Palm handheld, like Keyring (free, via Sourceforge). This way you can carry your info wherever you go and it's only open to hacking if someone steals your handheld—where it would still be protected by triple-DES 112-bit key encryption. It's not perfect, and Palm OS 5 should be adding some necessary support on the system side for data security, but this is the best direction so far.

Palm password storage

Submitted by jeduthun on April 15, 2002 - 14:09.

I second the motion on Keyring. I use it on a near-daily basis for everything from passwords to PINs; I think I've got data on over 75 accounts in there now. The extra security risk imposed by 'writing down' the passwords (migitated by the 3DES 112-bit effective encryption) is greatly eclipsed by the fact that it reduces the temptation to use the same password everywhere. Later versions even come with a password generator.

I think it is worth mentioning that your handheld is not the only potential break-in point. IIRC, Keyring and the like synch the encrypted data to your PC. The chances of getting your PC compromised vary, of course, but it's something to keep in mind. Breaking 3DES with an effective 112 bit key in under a thousand years would take much more hardware than your average hacker has on hand.

For those who don't mind software that's only free-as-in-beer, there is another good bit of software for managing accounts and passwords called STRIP, which uses a 256-bit key and the new AES algorithm. You can read more about it on Zetetic's web site.

oops..

Submitted by jeduthun on April 15, 2002 - 16:42.

My bad. STRIP is free-as-in-speech, too. It is GPL'ed.

Much bigger ball game

Submitted by stormfront on May 29, 2002 - 07:30.

Just a quick comment to say that SSO is only a small part in the Digital Identity idea. If the only requirement for SSO was to easily log back into multiple websites then we would stick with our password managers. However even on the surface other issues such as cutting out the hassle of providing ten pages of personal information each time I want just a newsletter or to use an ecommerce site come up. SSO is important, but just part of a bigger picture. Solving SSO with simple password managers, APIs or keychains will not make the bigger picture easier to solve or provide for. It may even hinder the bigger picture.

where can I find SDK for

Submitted by anbalagn on January 27, 2012 - 05:57.

where can I find SDK for single sign on?

Start of page header

Other Fine Evolt.org Sites

Navigation Starts

Submit

Article Categories

Highest rated articles

Recent comments

Main Page Content