Ask Slashdot: What's Holding Up Single Sign-On? 446
An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"
Single Sign on aka FB (Score:5, Informative)
The real reason holding it back is people that make the websites are either to lazy to include it. ie blogging sites. Or want increased security aka financial sites.
It's already here (Score:5, Informative)
Facebook, OpenID, Yahoo, AOL, Google, Microsoft - they all support SSO for websites that want to use it. It's just a matter of the individual websites implementing it.
If you notice, Slashdot has even implemented it.
My Single Sign On (Score:5, Informative)
Re:Single Sign on aka FB (Score:4, Informative)
Or users who rebel.
There are a few out there (Score:4, Informative)
In the meantime - LastPass! (Score:3, Informative)
In the meantime, check out https://lastpass.com/ [lastpass.com] - you get to use a single password to protect all of your other passwords. You can generate random ones, store the passwords in the cloud, so are accessible by you, anywhere. I cannot do justice here to the security and features offered.
Essentially you visit a site, and LastPass fills in the username/password for you.
Re:Trust and Compromise (Score:4, Informative)
If you have something like OpenID, you could set up your own SSO providers.
Face it; average joe uses the same password everywhere, and won't care about the trustability of the service provider.
Re:Because it's a terrible idea. (Score:2, Informative)
There is. Password managers.
Kwallet for example can do this automatically. I don't have to "remember" anything but the single password I encrypted it with. It remembers everything else. All the convenience of single-sign-on, without the problems of a single compromised site leaking all your sign on data to everything, and the problems of tracking.
Re:Single Sign-On (Score:5, Informative)
Yep...I'd prefer NOT to have every website and business out there to be able to more easily tie all their data on me together. I don't want it any easier than it already is.
And please, don't anyone mention using FB as the universal ID. I don't have and don't want FB account(s).
I don't want to pay for coffee or anything else with my phone either...I hope if the new iPhone 5 has NF on it...it can be easily and permanently shut off.
I like to use cash whenever possible...anonymous, and it gives me a much better feeling for how much I'm spending a month, that using credit which to me, ads a layer of abstraction to money, much like how chips do in a casino. With chips or CC's ( and now a phone) it is more like 'play' money than real money..and it is easier to lose sense of how much you're blowing here and there.
Re:It's a bad idea (Score:5, Informative)
But if you do that, then why not just use a different password for each such group? Passwords aren't that hard.
I believe the submitter touched on part of the reason. Inconsistent password policies for length, characters and expiry date.
To this day there is one PITA site that won't allow "!" as a password character and it throws my whole system off.
Also, if I want to change my password, with SSO there is one change. With multiple sites....
Passwords may not be hard... but SSO is easier.
Re:In the meantime - LastPass! (Score:4, Informative)
Fortunately they don't have access to your unencrypted passwords.. https://lastpass.com/support.php?cmd=showfaq&id=1096 [lastpass.com]
"AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins.
This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data."
Re:Single Sign-On (Score:4, Informative)
Re:Single Sign-On (Score:5, Informative)
How about openID it can be whatever you want based. There is no global single point of failure as people can stand up there own openid site and any site that accepts openid can use it. The only thing saved on the end site is your openid url these can be many to one and/or specific to a given site. Pretty much you can add as much complexity as you want on your server or find somebody to do so for you.
Re:Single Sign-On (Score:4, Informative)
If they know that a group of interest meets at 8pm on the 1st, 17th and 23rd of each month, and you buy a Latte from the Starbucks next door to the meeting place only on those days at 7:45pm, then you become a person of interest.
Technically its the first Friday of the month 5 to 8 local time. But whatever.
http://www.2600.com/meetings/ [2600.com]
Re:Single Sign-On (Score:4, Informative)
Mozilla Persona/BrowserID, is certificate based and lets you have different profiles for different sites. It requires you to have an Identity Authority that can vouch for your email, but if you have your own domain you can be your own IA.
http://lloyd.io/how-browserid-works [lloyd.io]