Forgot your password?
typodupeerror
Security

Ask Slashdot: What's Holding Up Single Sign-On? 446

Posted by timothy
from the 2012-edition-but-ask-again-next-year dept.
An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: What's Holding Up Single Sign-On?

Comments Filter:
  • Single Sign-On (Score:5, Insightful)

    by Anonymous Coward on Tuesday July 24, 2012 @03:36PM (#40754415)

    Single breach of security.

    • Re:Single Sign-On (Score:5, Insightful)

      by Anne_Nonymous (313852) on Tuesday July 24, 2012 @03:40PM (#40754497) Homepage Journal

      Not to mention the tracking/privacy issues.

      • Re:Single Sign-On (Score:5, Informative)

        by cayenne8 (626475) on Tuesday July 24, 2012 @04:10PM (#40755093) Homepage Journal

        Not to mention the tracking/privacy issues.

        Yep...I'd prefer NOT to have every website and business out there to be able to more easily tie all their data on me together. I don't want it any easier than it already is.

        And please, don't anyone mention using FB as the universal ID. I don't have and don't want FB account(s).

        I don't want to pay for coffee or anything else with my phone either...I hope if the new iPhone 5 has NF on it...it can be easily and permanently shut off.

        I like to use cash whenever possible...anonymous, and it gives me a much better feeling for how much I'm spending a month, that using credit which to me, ads a layer of abstraction to money, much like how chips do in a casino. With chips or CC's ( and now a phone) it is more like 'play' money than real money..and it is easier to lose sense of how much you're blowing here and there.

        • Re:Single Sign-On (Score:5, Insightful)

          by mlts (1038732) * on Tuesday July 24, 2012 @04:24PM (#40755293)

          One phrase: Single point of failure.

          The only system I can think of that would not be bad for a single sign-on would be something client certificate based, where the program that used your cert would prompt for access. Even then, it better support different certificates for different sites, so not every site is linked to one key.

          I wouldn't mind seeing something that functioned like SecurID, except used public/private keys. That way, I could copy the key to a keyfob so I can use it for offline challenge/responses, as well as use my smartphone. If I were on a computer I trust, the client cert daemon would prompt if the site deserves a response and to hand them one from what key I used to authenticate.

          Not too difficult to code, but because it is a fairly open system, not many hardware vendors would want to do it.

          • Re:Single Sign-On (Score:5, Informative)

            by silas_moeckel (234313) <silas@dsminc-[ ]p.com ['cor' in gap]> on Tuesday July 24, 2012 @04:48PM (#40755693) Homepage

            How about openID it can be whatever you want based. There is no global single point of failure as people can stand up there own openid site and any site that accepts openid can use it. The only thing saved on the end site is your openid url these can be many to one and/or specific to a given site. Pretty much you can add as much complexity as you want on your server or find somebody to do so for you.

            • by mlts (1038732) *

              I'm a supporter of OpenID. It disperses the eggs into multiple baskets, forcing an attacker to attack multiple sites.

              Plus, it adds some ability to pack one's own parachute. I could keep all my OpenID stuff on a co-located box that is heavily secured, and know exactly what measures are in place, as opposed to taking someone's word that something is secure.

          • Re:Single Sign-On (Score:4, Informative)

            by icebraining (1313345) on Tuesday July 24, 2012 @06:30PM (#40757499) Homepage

            Mozilla Persona/BrowserID, is certificate based and lets you have different profiles for different sites. It requires you to have an Identity Authority that can vouch for your email, but if you have your own domain you can be your own IA.

            http://lloyd.io/how-browserid-works [lloyd.io]

      • by manu0601 (2221348)

        Not to mention the tracking/privacy issues.

        You can run your own identity provider so that you are the only one able to spy on yourself

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Most password reset protocols are just a kludgy 'authentication via email' already.

      I would've logged in, but I no longer have access to the email account that I used to create my /. account 10+ years ago.

    • Yeah I was going to say "the fact that it's a terrible idea" but that hasn't stopped so many other terrible ideas from becoming wildly popular.

      • Re:Single Sign-On (Score:5, Insightful)

        by dgatwood (11270) on Tuesday July 24, 2012 @04:13PM (#40755137) Journal

        ... that hasn't stopped so many other terrible ideas from becoming wildly popular.

        Like passwords. I mean, the entire notion of securing access to an account using something that can trivially be sniffed, forged, etc. is utterly insane.

        Or those fake software-based "second factor" authentication systems where your cell phone (or some other remotely crackable device) is the second factor.

        The fact is that nobody is willing to do security right, because doing security right is hard as hell, and damned inconvenient. So instead, everybody adds hack on top of hack to try to maintain the illusion that these fundamentally flawed authentication mechanisms are somehow useful or robust. Single sign-on just eliminates the illusion of security. :-)

        • by mlts (1038732) *

          Using a SMS message to a cellphone is better than nothing. Generally if a remote cracker gets access to passwords, they generally won't have the ability to intercept those.

          Of all the two factor authentication mechanisms, Google has theirs done pretty well with not just the ability to call a backup number, but handing you a few one use codes to stash aside in case of emergency.

    • Re:Single Sign-On (Score:4, Interesting)

      by xtracto (837672) on Tuesday July 24, 2012 @04:14PM (#40755143) Journal

      Just use Keepass. Allows you to remember just one password. I use LastPass, but of course it is not for the super-paranoid (it could be hacked with all my passwords on it).

      • LastPass encrypts on the client. The only way to crack your passwords would be do it from your own machine, and then Keepass is broken too.

  • by Anonymous Coward on Tuesday July 24, 2012 @03:36PM (#40754427)

    Who is worthy of yours? I see Facebook SSO everywhere, but I don't want to be any part of Facebook.

  • Here (Score:5, Funny)

    by Anonymous Coward on Tuesday July 24, 2012 @03:38PM (#40754439)

    I'll give you a single sign-on! Send all your login information to me and I'll set something up...

  • by 0123456 (636235) on Tuesday July 24, 2012 @03:39PM (#40754465)

    Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.

    • by residieu (577863)
      But it's nice when I want to comment on an article and I really don't want to sign up for yet another account. I can just give them my spare yahoo account and log in. Yay!
    • by erroneus (253617)

      Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.

      Indeed. So I asked myself the next question: "Who would I trust?" The Dalai Lama? Yes, I would trust the Dalai lama, but sure as shit China would hack whatever the Lama was using and that would be the end of that too.

      Obstacle #1 who to trust and obstacle #2 vulnerability of that trust.

      It's an old but apt term -- "all your eggs in one basket" -- convenient but still a bad idea.

  • by Foo2rama (755806) on Tuesday July 24, 2012 @03:39PM (#40754477) Homepage Journal
    FB is becoming more and more of a single sign on.



    The real reason holding it back is people that make the websites are either to lazy to include it. ie blogging sites. Or want increased security aka financial sites.
    • by i kan reed (749298) on Tuesday July 24, 2012 @03:43PM (#40754563) Homepage Journal

      Or users who rebel.

    • by cpu6502 (1960974) on Tuesday July 24, 2012 @03:51PM (#40754731)

      The real reason is that FB forces me to use my realname, and I don't want to use my realname on a public internet that stores my messages for the next 20, 30, 40 years. I don't want either my employer or some government agency using those posts to develop a profile about me. (Or using them as excuse to reject my resume, or stick me on a Do Not Travel list.)

      I get-around the "single login" deficit by using the same name/pass across all websites where I don't care if they get hacked (like posting replies on newspapers). I use a 2nd password for personal websites like email. And a 3rd strong password just for the two banking/stock websites. Nothing gets written down so I don't have to worry about somebody finding my "scrawled passwords" laying in plain sight.

    • by JohnFen (1641097)

      The real reason is what's been said before: trust. I can't think of any entity that I trust with so much that I'm OK with them knowing when & where I'm logging into something, let alone hold my keys.

    • by jandrese (485)
      It's worse than that, when you sign on with Facebook, a lot of times that means whatever site you are using then has total access to your account, including making posts as you that you won't even see on the main page. You have to drill down into your account to see what those companies are posting in your name.
    • Do you really want all your FB friends to see "Foo2rama liked THE ANAL INTRUDER from www.xxxtoys.com!" when you accidentally click "Like this on Facebook" instead of "Add to Cart"?

  • Password Hasher [wijjo.com] could happily provide you with 26 character strong passwords without the hassle of remembering them.
    • What happens if I have various PCs? Or if one of my devices doesn't have firefox (ie: webOS)?

  • Facebook has made one of the largest pushes into this area. Has it worked? I'm not sure, just because I tend to prefer to not tie my various accounts to Facebook. I assume some people feel the same way, but I suspect the population at large likes this.

  • by harl (84412) on Tuesday July 24, 2012 @03:42PM (#40754529)
    It's impossible to find someone everyone trusts.

    Also what happens once the central repository is compromised?
    • by hobarrera (2008506) on Tuesday July 24, 2012 @03:59PM (#40754867) Homepage

      If you have something like OpenID, you could set up your own SSO providers.
      Face it; average joe uses the same password everywhere, and won't care about the trustability of the service provider.

    • by dkf (304284)

      It's impossible to find someone everyone trusts.

      You don't have to trust the same people I do. So long as we can find identity providers who talk compatible protocols so that consumers of identities don't need to care, it doesn't matter. (Note that the majority of providers only really guarantee to tell sites "this is the same person who logged in as that other time" and not any information more than that, such as actual names. For a lot of uses that's good enough, but not all.)

      Also what happens once the central repository is compromised?

      You'd rather have logins on hundreds of badly-maintained blogs instead of a we

  • It's already here (Score:5, Informative)

    by wiggles (30088) on Tuesday July 24, 2012 @03:42PM (#40754531)

    Facebook, OpenID, Yahoo, AOL, Google, Microsoft - they all support SSO for websites that want to use it. It's just a matter of the individual websites implementing it.

    If you notice, Slashdot has even implemented it.

    • Yes, they all support being SSO providers, but if EVERY service provider provides me with an SSO, but none of them let me log in with a third-party SSO, then I don't have a choice but to have a differente account on each place; a facebook account, a google account, etc.

      • And if it's google, yahoo, aol or a pile of others they can be used as OpenID. Right now it's pretty much facebook as the holdout as they want all that juicy data. OpenID is the only one in the mix that lets you be in control you can host it on your own site add multipart authentication to it and generally be assured of it's safety as it's completely under your control (as much as anything that relies on DNS is).

    • by iluvcapra (782887) on Tuesday July 24, 2012 @04:01PM (#40754907)

      That's the great thing about single sign-ons: there are so many to choose from!

  • My Single Sign On (Score:5, Informative)

    by SighKoPath (956085) on Tuesday July 24, 2012 @03:42PM (#40754555)
    I have Single Sign On. It's called keepass.
    • Re:My Single Sign On (Score:4, Interesting)

      by TheCarp (96830) <sjc@caRASPrpanet.net minus berry> on Tuesday July 24, 2012 @03:48PM (#40754663) Homepage

      Yes. Exactly. All the SSO I need.

      I have a FB account, but, since when do I trust them to know every single website I go to? You know how many non-FB websites I have EVER logged into with my FB account? 0. Exactly 0.

      As far as I can tell, the only reason they offer SSO is so they have yet more info to aggregate and sell. I don't use FB login for the same reason I don't allow my web browser (via requestpolicy) to connect to facebook at all when loading non-facebook sites.

      FB doesn't need to know where I go to stream music, it doesn't need to know where I read my news or post my comments, it doesn't need to know jack shit other than what I post on my wall, on facebook.

    • Not really SSO, if I find myself on a trip with a broken laptop, I can't quickly log in from a new one, or from a friends one, I'll need to salvage the data on it first. And since it's the SSO, I can't get a remote backup without it.

      Keepass has it's uses; SSO isn't one of them, nor is it a substition for SSO.

    • Or LastPass.

  • by Anonymous Coward on Tuesday July 24, 2012 @03:43PM (#40754561)

    I simply use the same password for everything! Brilliant, I know!

  • by JTD121 (950855) * on Tuesday July 24, 2012 @03:44PM (#40754591) Homepage
    There's Mozilla's Browser ID [browserid.org], which is uses nowhere....Google, Yahoo, et al seem to have been 'bundled' into the Disqus 'platform' across various sites. I think it's more that no one wants to give up 'control' of their user data and associated metrics to a single open standard. By forcing users to continue to sign up for their 'services' they get to collect whatever they want through the use of EULAs, ToS', etc. For their own ends, of course.
  • by Kiaradune (222032) on Tuesday July 24, 2012 @03:45PM (#40754607)

    In the meantime, check out https://lastpass.com/ [lastpass.com] - you get to use a single password to protect all of your other passwords. You can generate random ones, store the passwords in the cloud, so are accessible by you, anywhere. I cannot do justice here to the security and features offered.

    Essentially you visit a site, and LastPass fills in the username/password for you.

    • LastPass discloses potentially personally-identifying and personally-identifying information only when required to do so by law, or when LastPass believes in good faith that disclosure is reasonably necessary to protect the property or rights of LastPass, third parties or the public at large

      The highlighted clause is totally out of order. There is only ever one reason they should release data; when instructed by a lawful legal order.

      • by Kiaradune (222032) on Tuesday July 24, 2012 @04:17PM (#40755183)

        Fortunately they don't have access to your unencrypted passwords.. https://lastpass.com/support.php?cmd=showfaq&id=1096 [lastpass.com]

        "AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins.
        This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data."

        • by mcelrath (8027)

          That's about as useful as saying magic unicorns protect your security.

          Unless it's open source, you're still depending on the good graces of a third party to not do something else with your password. A black box with AES stamped on the outside garners the same level of trust as a black box with ROT13 stamped on the outside. How do you know they're not AES encrypting the username, and keeping passwords in plaintext? (through incompetence, malice, or just simply a bug)

          Go with KeePass [keepass.info] instead, and keep e

  • I've tried Open ID through Google to sign in to Slashdot but can't get it to work.
  • The core problem (Score:5, Insightful)

    by subreality (157447) on Tuesday July 24, 2012 @03:46PM (#40754635)

    The technology is already available - OpenID and several other standards are ready to go.

    The trouble is that everyone wants to be the ID provider, but no one wants to accept other providers. Passport is a great example - Microsoft wants to be the central gatekeeper. Well thanks, but no, I'd rather run my own, but of course MS won't accept it.

    So we're now in a standoff.

  • This is a really bad idea across the board. First you would have to get a bunch of web sites to agree on a set of standards - really have you looked at what clusterf*ck most standards have turned into? Assuming you can somehow make the first one happen with the blessing of the FSM on the second harvest moon of the year you still have a problem.

    You have now just made /any/ website that did somehow join your standard much more profitable. Why? Users are lazy, not only do they share passwords they also typical

  • by jellomizer (103300) on Tuesday July 24, 2012 @03:50PM (#40754701)

    Ok the problem with Single Sign on, is the fact we are all going to choose a company for the SSO.
    Do enough of us really trust Microsoft, who has been in the headlines for massive security breaches.
    How about Facebook, you know those guys who take your data and sends it to everyone on the face of the earth.
    Perhaps Google, You will get targeted adds based on every place you login too.
    Open ID, how much do you really trust a bunch of harry toe programmers, who go to these black hat hacking events?

    Some distributed architectural system where you can find many points of weaknesses from some armature setup.

    That is the problem with Single Sign On. We just don't have any trust, in these sources. And to have one that you trust enough for the rest of the world?

  • 1. Facebook connect. Remember that Facebook only knows what you tell it. You could always make an account with only required fields filled out, NEVER use it as intended (set all the security/privacy to the highest and don't every friend anyone, join any groups, or "like" anything), and just use that as your SSO solution. Or if you simply refuse to use Facebook at all: 2. Lastpass. Can't say enough about these guys. It is FREE and just works.
  • Password policies seem to make the whole point shared in the OP about defaulting to the "Forgot Password" button.

    Many people have very secure passwords, and good schemes to secure them, generate unique ones for each site, etc. So if my password for a site is "Lkjsdf834kklLKjlkj90uKLjh89yhLK98" - that could be very secure. But if some arbetrary site as a rule that states "Your password must have a least one punctuation character in it" - it rejects my password. Now, the system I have in place to generate

    • I remember a security class where the instructor talked about how a good pass phrase is more secure than passwords conforming to the usual character-class rules and change frequencies - the latter often providing passwords difficult to remember, etc... His example, the phrase, "My daughter has big brown eyes." is rather secure from guessing and hacking attempts and easy for him remember. Assuming he is careful about sharing and/or surveillance by others, there's no need to change it every N days, or ever.
  • by Above (100351) on Tuesday July 24, 2012 @03:53PM (#40754755)

    The answer is easy: Too many eggs in one basket.

    That could be one place that if it gets broken into everything is lost, or it could be one entity that knows all the dirty little secrets since they know all the sites that authenticate your identity. It could also just be one entity that must be up and available, which is a tall order.

    The solution is simple: Public key cryptography.

    Most of the people on /. are probably familiar with ssh. A key is generated on the client end. The public material is put on the server end. If the server is compromised nothing bad happens as the attacker now has a public key they can't use to log into any other service.

    There is no technological reason the web can't work the same way. There is a lack of agreement on how to do it that is holding us back, and also a User Interface problem in browsers. However it's not hard to imagine a world where a browser generates a key pair, and during the sign up procedure for a web site it transmits the public material. It looks like single sign on to the user, but they didn't have to trust any third parties, and if the web site is broken into the attacker gets no useful data. It could be implemented with x.509 certificates which browsers already have support for, or it could be done as specific form types and key formatting a-la how ssh does it today. Users could create multiple keys if they wanted, and by syncing the private key material between their devices have passwordless access across all their devices.

    A small amount of standards work and UI here could make passwords nearly obsolete. Sysadmins don't use telnet and passwords anymore; we need to upgrade users, and the user tools to achieve the same benefits. Single Sign On, and all of its drawbacks, disappear in the process, a win-win!

    • Your solution moves single-sign-on from a solution-provider to the individual, but it completely ignores the fact that some of us DO NOT WANT identities tied together.

      True, I could have multiple, independent public keys just like I can have multiple independent sign-ons.

      However, you and the world still need to realize that one of the things holding back single-sign-on in any form is that many people simply do not want it.

  • I moved to Google after the collapse of my Yahoo single sign on multiverse. All things became one, which was the security reason why I shut down my Yahoo accounts and left for Google. Yahoo as a web portal has a number of quality services that are linked. If only their privacy options were more robust I might still be there to enjoy them.

    -Xin

  • Facebook is doing SSO really well for stuff that's just not that important. Sign in to random websites/games/apps/forums with a single click.

    I wouldn't want SSO for my bank/finances/medical though because of the single point of failure issue.

    However, for PC's Windows 8 now allows you to log in with your Windows Live credentials (not sure if you could do this before)... I personally liked that feature since you can log onto different PC's/tablets around the house without reconfiguring things.

  • Single Sign-On technology only makes sense within a single organization. For example, if you get a loan from the same institution you do personal banking with, you may want the convenience of a single sign on to their loan system and their banking system. But in this case, you don't have to worry about privacy issues as it is already the same organization with access to both sets of data, even if they are two different systems in the back-end, possibly due to a corporate merger or something.

    However, with cr

  • Because everyone want to be the SSO provider.

    Basically, we had OpenID. Along came plenty of services which gave you an OpenID account (or something VERY similar), but none of them allow you to log in using a single sign on hosted elsewhere.
    Example: Facebook is a SSO. So is google. So are plenty others. But since google wants to be the provider, they won't allow you to log in with facebook's OpenID. The inverse also applies.
    In the end, everyone is an OpenID provider, but the only place I can log in with

  • by dmatos (232892) on Tuesday July 24, 2012 @03:55PM (#40754799)

    Why don't people just tell their browser to remember their login/pwd information? That's what I do for Slashdot, BoingBoing, fb, lj, gmail, etc.

    Bank websites and credit card websites, I still store the passwords in my noggin, but social media? I don't care if someone who's stolen my laptop suddenly can make twitter posts in my name.

    • Why don't people just tell their browser to remember their login/pwd information? That's what I do for Slashdot, BoingBoing, fb, lj, gmail, etc.

      Bank websites and credit card websites, I still store the passwords in my noggin, but social media? I don't care if someone who's stolen my laptop suddenly can make twitter posts in my name.

      Because many people are using multiple devices, in which case they have to store your passwords in "the cloud" with some sort of browser sync. Also, folks are accessing resources with a browser sometimes and apps at other times.

      LastPass does a pretty good job of filling in the gaps.

  • There is no company large enough to make a plausible attempt at "single sign-on" that would also be trustworthy enough for most people to give them that level of access. And there probably never will be, since our current system of corporate capitalism not merely permits but actively requires corporations to act in a sociopathic manner.

  • "oh shit! firefox(with single sign-in) won't start! I guess I'll have to use internet explorer to check my email. wait, I can't remember my email password anymore because I have been using single sign-on!!!!!"

    yea, that sounds like a great idea!(sarcasm)
  • Someone mentioned the very good point that Facebook is TRYING to become the single signon king. However, nobody trusts Facebook.

    It brings up the question of how a single signon organization would make its money.

    Nobody would trust it, use it, if it makes its money like FB or Google......basically by selling its users out.

    It would have to be some sort of not-for-profit trust that could pay its employees well without having ties to other businesses.

    That sounds like the government. I wouldn't want to give

  • everybody says you should never write down your password, but all of the sudden it is a good idea to store ALL of your passwords in one place?! encrypted or not, this is just a bad idea
  • * I want to keep my identities separate.
    * I don't want _SINGLE_SIGNON_PROVIDER_ to have keys to my entire online life.
    * I'd rather "spread the risk" of having my login information compromised.

    I don't have a common key for my house, office, and car either. Nor do I want one.

  • I have my personal windows live account, my day job Office 365 user account, and an Office 365 admin account for a friends small business I administrate for him on the side.

    Whenever I needed to switch I need to clear my cookies and close all browser windows, then login again. It was a massive PITA.

    What I do now is use IE for day job, Firefox for personal, and Chrome for admin; so they each have separate cookie sets.

    I probably should switch to separate VMs.

  • by Nom du Keyboard (633989) on Tuesday July 24, 2012 @04:20PM (#40755227)

    The problem with Microsoft Passport was Microsoft.

  • by sker (467551) on Tuesday July 24, 2012 @04:46PM (#40755671) Homepage Journal
    Seems like most of the replies here suggest that users don't really want it. Maybe Slashdot users dont want it, but seems to me another reason is that sites don't want it If the purpose of a login was to confirm my identity, more sites would make this easier. The purpose of a login is to shackle you to a site. This is why even if you see a "Login with Twitter" "Login with Facebook" button and try to use it, you're immediately required to "link" your Twitter or FB account to the "app" of that site. They don't give a damn what your identity is, they need more than just a confirmation of that, they need your permission to make you part of their social media reach. Now, there are ways to make this all happen with a good SSO, of course, but that's technically harder to implement, and there will often be some "business requirement" for some crucial piece of valuable personal info that happens to not provided in whatever SSO, and so the managers will push for a custom sign-on. Facebook is getting close though. For better or for worse.
  • by PPH (736903) on Tuesday July 24, 2012 @07:13PM (#40758141)

    Invoking Betteridge.

  • by metrometro (1092237) on Tuesday July 24, 2012 @10:15PM (#40759871)

    This question has many parallels to "Why do all the browsers suck?" circa 2002. Similar answer: end users' interests are not aligned with commercial ventures, thus commercial entities fail to address the need. Governments, for similar reasons, are not welcome as solution providers.

    Mozilla has a potentially gamechanging solution in alpha. It is inherently user controlled and FLOSS. It's also intended to be very easy to use by building user-controlled personas into the browser, allowing single sign in without revealing sign-in habits to a third party. Developers and testers welcome.

    https://login.persona.org/ [persona.org]

    http://identity.mozilla.com/ [mozilla.com]

Prototype designs always work. -- Don Vonada

Working...