• United States



Not ready to give up on single-sign on

Mar 28, 20123 mins
Access ControlApplication SecurityIdentity Management Solutions

You could say single-sign on has become a key to my daily survival. I need so many passwords to get through the day that I’ve pinned a lot of my hopes on it.

Naturally, I was none too pleased to see that researchers have found big cracks in such single-sign on vehicles as OpenID and the system Facebook uses.

The details are in this article by my colleague Cameron Scott from the IDG News Service. Scott writes:

The researchers, from Indiana University Bloomington and Microsoft Research, say they have found a number of serious flaws in OpenID and the single-sign on system used by Facebook, as well as implementations of those systems at several popular websites. Google and PayPal are among the users of OpenID. “The problem here is that the authentication system makes life easier but it makes security management more challenging,” said XiaoFeng Wang, one of the authors of the study.


In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn’t control the email address linked to the user’s account on the website in question could log in, and potentially make purchases, using that person’s account. Using Facebook’s authentication system, researchers were able to persuade third-party websites that they were somebody else and hijack that person’s legitimate Facebook account.

Double phooey.

The researchers cast a small net for the study, gunning for the protocols used by Sears, Yahoo,Web-based project management application Smartsheet, FarmVille’s Facebook portal and The New York Times website, Scott writes.

The research shines a light on serious problems. Fortunately, the cracks discovered were documented and fixed.

The findings have not shaken my faith in single-sign on. Every protocol has its flaws, and it was only a matter of time before these were discovered. In my world, single-sign on still beats having to remember dozens of passwords that hang off the brain like a thick chain of keys hanging from a belt loop. There’s the password for the work blog, the personal blog, Twitter, Facebook, my bank, Amazon, all the sites for the electric and gas for the house, the phones, the cable, etc.

I’m drowning, and will take all the single-sign on help I can get, even if there are cracks in the armor.