The Single sign-on universal login security debate

The more apps and websites we register with, the more usernames and passwords we need to remember. You might end up managing hundreds which as you know means you have to find somewhere to store them as well as avoiding using the same password for more than one website. Your digital identity is your offline identity too.

So how could you go about reducing this number while at the same time increasing the security? OneID is one company I’ve been researching recently. They provide a Single-Sign-On (SSO) service and form filler. The SSO component is loosely based on the OpenID Foundation open authentication standard.

OneID’s architecture is actually very simple. You verify your digital identity with a password via an active device and a control device i.e. browser, app or physical device. The active physical device in this example would be the PC. A verification is then sent to your mobile* for user verification. This works on the principle that if someone has stolen your mobile they will need your PC to access your OneID network. Call it two-step verification, if you want. Users also don’t need to remember credit card numbers as this data is encrypted and isn’t stored on a central server, it’s stored in the cloud but the key isn’t.  More on the signature keys in the next paragraph.

*Think Over-the-Air (OTA) and One-Time-Password (OTP) here.

There is also the option of using a one-time pin (known as an ‘out-of-band’ service) to verify your digital identity. This acts like a signature verification system rather than a password. This means if the system is hacked, only the pin is exposed, not the passwords. The keys that are used for the signatures would need to agree with those stored when the user first authenticated to OneID. If someone other than the OneID user attempts to replace the stored keys, the authentication will fail. Equally important the pins are not stored on the centrally stored database as they can only be used once – hence ‘One-Time-Pins’. 🙂

The idea is that users can manage all their devices and data through OneID, but the major drawback here is websites adopting the system in the first place. I’ve already seen similar services fail to attract mass market adoption, which in my mind is a shame. There is also the small issue of privacy. Universal login (SSO) provides companies with access to user profile, demographic, surfing behaviour, usernames/ID and other data, so I’m not entirely sure users will adopt this on mass.

Also, I believe these types of SSO need full support from Capitol Hill in the US and other governments and maybe say Facebook or Twitter. The current thinking is all about shared secret authentication, which isn’t the answer. Right now OneID and OpenID remain committed to providing universal login security but something tells me it might be an uphill struggle given OpenID to date hasn’t been that successful with market adoption. Ok readers, let me know your thoughts!

Safe surfing folks!

This entry was posted in browser, facebook, google, linkedin, mobile, privacy, twitter, windows and tagged . Bookmark the permalink.

2 Responses to The Single sign-on universal login security debate

  1. Julian,

    So OpenID has evolved to OpenID Connect built on top of OAuth2 and in this regard there is actually pretty wide adoption (and IETF DRAFTS moving forward). This blog from Eve Maler puts it together pretty well and throws in User Managed Access (UMA, and IETF DRAFT here too) as a third leg (though UMA is about 4 legged Authorization with Authorizing User, Requester, Host and Authorization Manager). This is not so much about SSO as it is about contextual authentication being a way to describe authorization a riff of @Steve_Lockstep. SSO is the context.

    Let me know what you think.

  2. Pingback: The Single sign-on universal login security debate | News | IT Security Magazine - Hakin9

Leave a Reply

Your email address will not be published. Required fields are marked *