Single-Sign on Insanity

by Carla Schroder

A couple of articles caught my attention, both concerning the Holy Grail of Internet commerce and enterprise computing, single-sign on:

So Many Passwords, So Little Memory

High-stakes venture

OneSign 2.6 costs $15,999 to $24,995 for a box to manage user's passwords. It is not a magic universal box that automagically supports all applications, support must be provided for each one. (And why do businesses continue to be suckers and pay per-user licenses on servers? It makes sense as a support contract, but not for licensing.) Ping Identity wants $13 million to develop a similar product for e-commerce. $13 million?? That's some kind of gold-plated code. Let's look at some of the existing password-management tools.

1. A notebook and pen. Write down your passwords and keep the list in a safe place. Even Bruce Schneier says this is a good idea.

2. Use your Web browser's password manager, and I sure don't mean the malware welcome mat that is Internet Explorer. Mozilla runs on many platforms and has a perfectly good password manager. It can easily be configured to remember your logins, or to selectively not remember some. The whole works is proctected by a master password. Konqueror also has an excellent password manager, for you KDE users. Both of them are easy to use, and encrypt the stored logins.

3. Homegrown solutions using F/OSS software. The OneSign is based on SuSE Linux.

I have several shopping and bill-paying accounts setup online, individually. I use Konqueror to manage the logins. Each vendor is its own point of failure- if gets cracked and customer data exposed, it's only one account. There is no trail leading to my other accounts.

The smell of large money is in the air over this; the vulture capitalists are circling. I know it's idealistic and naive, but wouldn't it be refreshing to see these kinds of resources put into something that puts control in the user's hands. I like the notion of a USB key- easy to lock up or carry with you, and your backup is a paper list safely squirreled away somewhere. Trust a third party vendor's central repository with my stuff? I don't think so.

What kind of tools exist for users to securely and conveniently manage their own passwords? Why should anyone trust a commercial vendor to do this?


2004-11-30 15:30:19
May be a problem that's never solved
Even though it may be a problem that does not actually get solved (as in one standard that all follow) it is a massive problem for devlopers (myself included) looks promissing, opensource and supports 2 of the major players, only M$ missing here. One thing I hope doesnt happen is that M$ win then we are in real trouble.

In the meantime i use duct tape and cookies things together :)

2004-12-01 03:04:50
Give Internet
what if we can combine PGP-SmartCardChip-FOAF identity ?
The end of this struggling identity and security bazaar