Time is ripe for distributed authentication

I, along with all member of Spread Firefox, received an email explaining that their server had been accessed by an attacker:

We don’t have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.

… and a little later in the email …

We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

This is a great reason that a distributed authentication standard needs to be accepted and used across the web… and soon. A distributed single sign on solution would prevent things like this happening… not preventing servers from being compromised, but preventing attackers from finding usernames and passwords that are potentially (and probably) identical to the credentials used to authenticate on other sites.

Of the potential solutions I’ve seen, I think I like OpenID the best. But I would like to see people critique and suggest improvements. The solution needs to work, of course, but it should also be simple and extensible.

It’s time that we stop trusting every site we use with sensitive information.

This entry was written by Jay K, posted on July 14, 2005 at 9:30 pm, filed under Uncategorized and tagged , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

6 Comments

  1. Rob Lanphier
    Posted July 15, 2005 at 5:09 pm | Permalink

    OpenID does seem to have the momentum right now. What are some of the other solutions you’ve looked into? Here’s a list of the solutions I’ve compiled so far, and I’d love it if you could add to it anything that you’re aware of.

    Thanks
    Rob

  2. Administrator
    Posted July 15, 2005 at 6:04 pm | Permalink

    That’s pretty good list. I don’t claim to be any sort of expert on the subject, but I’ve read up a little. Here are some thoughts on a few items from your list:

    Pubcookie: works fairly well for a small set of sites. We implemented at my alma mater for all the many web services available, it’s still dependant (I think) on a centralized server, no good for “the whole web”
    LDAP: Would be a great backend for an identity server, but by itself I’m afraid it would not be simple enough… would you have to log in as ldap://server.com/cn=Name,dc=server,dc=com, or whatever.
    Identity Commons: it looks like they had the right idea, but 1) I can’t find specs and 2) It looks like their site hasn’t been updated in a year or so.
    OpenSSO: Looks like another one aimed at a smaller set of sites, and not the web at large
    Shibboleth: again, not for web at large
    SourceID: no comment… can’t figure anything out from their site.

    Several of these are based on SAML, which might be a good thing. XML is good, but may be more than is needed for simple identification… it may be good for sharing data between your identity server and some web service. Thoughts?

  3. Laurens Holst
    Posted July 15, 2005 at 6:28 pm | Permalink

    Hashing passwords with a hash function like SHA1 or MD5 before storing will of course achieve exactly the same effect, and can easily be implemented… ‘Distributed authentication’ is not the only solution.

    Problem is, then you are depending on the site author to do The Right Thing. Which apparantly wasn’t the case with SFx.

    ~Grauw

  4. Administrator
    Posted July 15, 2005 at 6:36 pm | Permalink

    Grauw, with distributed authentication (with openid, anyway), you don’t have to provide your password to the site author at all, just to your identity server. Then there is no way for all the sites you use to misuse the data (they don’t have it).

    Also, when it’s distributed, you really truly have a single password to worry about… Not just using the same one on every site. If you think your password has been compromised, change it. Once. Not “the password of any accounts where you use the same password.”

  5. David Roussel
    Posted July 16, 2005 at 5:26 pm | Permalink

    Note that Drupal already supports distributed authentication.

    For example look in this thread, http://www.spreadfirefox.com/?q=node/view/16836 search for vwx. See how the guy has logged in with his drupal.org id into the SpreadFirefox.com site.

    Granted it’s not as nice a OpenID, as the password goes through the server. See here for more details http://drupal.org/node/19113

  6. Administrator
    Posted July 16, 2005 at 5:58 pm | Permalink

    David… yes, drupal is a step in the right direction… If that guy used his drupal id on all the drupal sites he used (let’s assume he uses a lot), then a compromised password could be rememdied by a single change. However, as you said, you still enter your password on every site, which almost defeats the purpose :)

One Trackback

  1. By Jay Knight » On Avoiding the Password ‘Explosion’ on December 4, 2006 at 3:05 pm

    [...] This just re-iterates what I’ve said before: “Time is ripe for distributed authentication.” [...]

Post a Comment

Your email is never shared. Required fields are marked *

*
*