Single-Sign on Insanity
by Carla Schroder
OneSign 2.6 costs $15,999 to $24,995 for a box to manage user's passwords. It is not a magic universal box that automagically supports all applications, support must be provided for each one. (And why do businesses continue to be suckers and pay per-user licenses on servers? It makes sense as a support contract, but not for licensing.) Ping Identity wants $13 million to develop a similar product for e-commerce. $13 million?? That's some kind of gold-plated code. Let's look at some of the existing password-management tools.
1. A notebook and pen. Write down your passwords and keep the list in a safe place. Even Bruce Schneier says this is a good idea.
2. Use your Web browser's password manager, and I sure don't mean the malware welcome mat that is Internet Explorer. Mozilla runs on many platforms and has a perfectly good password manager. It can easily be configured to remember your logins, or to selectively not remember some. The whole works is proctected by a master password. Konqueror also has an excellent password manager, for you KDE users. Both of them are easy to use, and encrypt the stored logins.
3. Homegrown solutions using F/OSS software. The OneSign is based on SuSE Linux.
I have several shopping and bill-paying accounts setup online, individually. I use Konqueror to manage the logins. Each vendor is its own point of failure- if foo.com gets cracked and customer data exposed, it's only one account. There is no trail leading to my other accounts.
The smell of large money is in the air over this; the vulture capitalists are circling. I know it's idealistic and naive, but wouldn't it be refreshing to see these kinds of resources put into something that puts control in the user's hands. I like the notion of a USB key- easy to lock up or carry with you, and your backup is a paper list safely squirreled away somewhere. Trust a third party vendor's central repository with my stuff? I don't think so.
What kind of tools exist for users to securely and conveniently manage their own passwords? Why should anyone trust a commercial vendor to do this?
May be a problem that's never solved
Even though it may be a problem that does not actually get solved (as in one standard that all follow) it is a massive problem for devlopers (myself included) looks promissing, opensource and supports 2 of the major players, only M$ missing here. One thing I hope doesnt happen is that M$ win then we are in real trouble.
what if we can combine PGP-SmartCardChip-FOAF identity ?
The end of this struggling identity and security bazaar