Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Security The Internet

Will Facebook Become the Net's SSO? 314

lordDallan writes "Simson Garfinkel at MIT Technology Review muses on the idea of your Facebook account becoming an 'Internet Driver's License', ruminating on the idea of an individual's Facebook login becoming their single sign on for the web. I say NO THANKS!!"
This discussion has been archived. No new comments can be posted.

Will Facebook Become the Net's SSO?

Comments Filter:
  • by Anonymous Coward on Wednesday January 05, 2011 @02:12PM (#34767964)

    My single-site login would be the sound of silence, as I have no Facebook account.

  • by Haven ( 34895 ) on Wednesday January 05, 2011 @02:12PM (#34767968) Homepage Journal

    ...but I kind of do now.

  • by mlts ( 1038732 ) * on Wednesday January 05, 2011 @02:13PM (#34767974)

    If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven:

    1: Ability to have two factor authentication. OpenID isn't perfect, but one can use a VASCO token with it. The cream of the crop would be SecurID tokens. Of course, using SMS or apps on Android/iOS/BlackberryOS/etc. would be useful too.

    2: If a site asks for authentication via FB, a way to ensure that the login page is genuine. PayPal is good at this. I worry about people getting spoofed by a SSL page with a FB login that isn't really from FB proper.

    3: Better password recovery in case tokens get lost/stolen. At the minimum, better questions than "what is your dog's name?" Of course, the answers to these are stored as mentioned in #4 here.

    4: Solid password storage. Crypto 101 here: You never store a password. Ideally, you never store a result value. What you store is some known text encrypted with the password hash (hashed a number of times to slow down brute forcing). TrueCrypt's password mechanism is the best out there.

    5: A third party vetting this security mechanism. This doesn't need to be FIPS compliant (it should be though), but at least have some validation from an independent source that the authentication is done right, the data center is secure, etc.

    6: SSL with all contact throughout the authentication process. This is a basic thing, but for performance reasons, sites don't like using SSL unless forced to.

    7: Ideally, posting the SSL keys on some other source, so one can tell if a CA is spoofing the cert or not.

    8: It's corny, but consider a unique login picture per user that is used at some sites, Yahoo being the most widely used. This way, when you enter your username, if you don't get the picture, you likely got phished.

    9: Store passwords of unlimited length. I've seen too many sites which ignore any characters after the eighth one.

    10: Have the ability to turn off third party logins either temporarily or permanently. For example, if one is going on vacation with no Internet connections, the ability to disable SSO logins until they come back is a solid security measure.

    • Re: (Score:3, Insightful)

      If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven

      So we can pretty much assume that people will sign up for this by the million...

    • by golden age villain ( 1607173 ) on Wednesday January 05, 2011 @02:24PM (#34768134)
      Why the hell would you give a privately owned company, based in a single country, the right to hold Internet users' single login "license"? Why? Even with the all those features you require.
    • by Xugumad ( 39311 )

      Way overcomplicating things...

      Add RSA key generation and X.509 issuing as standard on all browsers. Provide easy tools for copying these keys & certificates around. Present them when connecting to a web site. Bingo, website knows you're the same person that last presented that certificate, in a secure fashion, with no/minimal user interaction required.

      Oh, and the remote site can't fake your credentials from what you sent them.

      • by mlts ( 1038732 ) *

        Client cert security is great in that respect. A website can keep track of the cert ID by itself, and it doesn't really matter what the CA says, wrong cert == no access. Plus, no passwords are ever exchanged, so all a blackhat can do is just grab your public key, and hope for a quantum computing breakthrough.

        The downside of client cert security are two factors: First, one doesn't want to tie all their stuff to one cert, so one needs to have the ability to make multiple certificates. Second, is moving th

    • by BitZtream ( 692029 ) on Wednesday January 05, 2011 @02:30PM (#34768216)

      8: It's corny, but consider a unique login picture per user that is used at some sites, Yahoo being the most widely used. This way, when you enter your username, if you don't get the picture, you likely got phished.

      I wish people would stop thinking this is useful.

      Any phishing site worth its weight in salt will simply pull in your picture from the real site and display it to you.

      I've created example sites to demonstrate this very issue with Bank of America's system which does this.

      The picture is essentially public information since you don't have to actually authenticate in order to see it so anyone can see it and redisplay it too you.

      • In fact, if they spent half the time they did on that idea instead convincing people to use better browsers and pay attention to the address bar and SSL warnings...

      • The correct approach is to not show the user's photo until *after* they have successfully logged in - only then do they confirm that they wish to continue.
    • by rolfwind ( 528248 ) on Wednesday January 05, 2011 @02:32PM (#34768238)

      It won't become the internet's SSO, simply because it requires way too many companies to willingly put way too much power into the hands of a partner that probably does not have their interests at heart. Microsoft already tried a passport years back.

      At best, it will become a secondary feature on some websites, but not a required one.

      I don't even trust OpenID, much less Facebook. Plus, I'm not going to let a host of important accounts be compromised by a single sign in -- it would be fine for forums and the like, but not anything of even moderate importance.

      • Out of curiosity, why don't you trust OpenID? What is there to trust?

    • Erm... nearly all of that can be done with OpenID/OAuth. Why have a single point of failure when we don't have to?

    • by tukang ( 1209392 )

      (hashed a number of times to slow down brute forcing)

      Hashing a password multiple times does absolutely *nothing* to slow down brute forcing. Each brute force attempt still has a 1/2^n chance of succeeding.

    • OpenID allows you to use _any_ auth system, it only depends on the server implementing it.

      8. Won't work. The phisher will use your data to login to the real site, copy the image and show it to you on their page.

      10. if you control you OpenID auth URL (even if you then redirect to another provider using meta tags), that's very easy to accomplish - just take the page/server down.

  • by Anonymous Coward on Wednesday January 05, 2011 @02:13PM (#34767982)
    Getting tired of facebook and the attention whores who live there. Now they want it to be an SSO. Hey let's put all our eggs into a single basket, make everything depend on this single site that we don't actually control that can delete our accounts or pull its content anytime they want. Oooh ooh, and you surrender all control of anything you upload to it as a bonus which you'd know if you actually read its ToS/privacy policies! What could possibly go wrong if we used this as our SSO? Not a damn thing that's what. Proceed. Carry on. When it blows up in your face or an outage proves to you why over-reliance on a single site is a Bad Idea(tm) you'll understand why the rest of us didn't want to.

    There's nothing novel or technically interesting about Facebook. It is not the be-all and end-all of useful tools. It's a way to build a vanity page for people who are too lazy to learn HTML. The appeal to lazy stupid people who hate learning something new is the only reason it became known to the mainstream popular media. That's all it is and ever was. End of fascination. Can we stop trying to find uses for it that have nothing whatsoever to do with its intended purpose? I mean hammers make wonderful paperweights but they're a lot more useful for driving nails.
    • There's nothing novel or technically interesting about Facebook. It is not the be-all and end-all of useful tools. It's a way to build a vanity page for people who are too lazy to learn HTML.

      Hrm... I actually use Facebook as a news aggregating tool. All websites have a FB stream these days and it is an easy way to keep track of game development and patches as I'd rather not frantically hit F5 on some forums everyday to see a dev blog or patch notes that may only happen once a month. Its an easy way to stay

  • by BJ_Covert_Action ( 1499847 ) on Wednesday January 05, 2011 @02:15PM (#34768010) Homepage Journal
    Hehe, and we will look fondly back on the days when we thought having an embarrassing DMV picture on your driver's license was a problem.

    I don't know if we could honestly implement this in any serious way. I know that 90% of what I post to Facebook is little more than crap, lies, and flamebait to prank my friends on the internet. There's nothing like watching one of your good buddies get all worked up over a Youtube video that doesn't really mean anything. Most of my FB contacts are aware of the nature of my profile, and, therefore, take my senseless BS tongue in cheek so it works out okay. If that profile starts being used as some sort of license (to do what exactly, access internet content?) then that license is going to be issued to a person that is fundamentally different in all dealings, social or otherwise, than the person that I am face to face, or, hell for that matter, different than even my Slashdot user account.

    One of my coworkers likes to say that the thing people tend to forget is that the internet isn't real. I would say that goes doubly so for user made pages like Facebook, where you can post whatever you want after a healthy dose of Photoshop, trolled Wikipedia references, and sketchy video editing techniques.
  • by blair1q ( 305137 ) on Wednesday January 05, 2011 @02:18PM (#34768066) Journal

    Microsoft issued me a Passport [passport.net] in about 1995.

    It gets me into everything...that Microsoft controls that links up with it. Which is to say, a lot of stuff I haven't logged into since about 1995.

    • I would have preferred passport a bit more if it weren't so painful to "validate" an address that wasn't hotmail/livemail. Also, you can't change your address or account credentials, which ties me to an account I had for my own company that is no longer in business, for a few things that I still need access to. It's a bit of a pain really. Facebook at least allows you to have different options, and you don't have to put anything on your facebook page other than your email address you used to create the a
  • by TaoPhoenix ( 980487 ) <TaoPhoenix@yahoo.com> on Wednesday January 05, 2011 @02:19PM (#34768078) Journal

    "...whether the Internet needs an "identity layer"—a uniform protocol for authenticating users' identities..."

    Supplied by a top-5 candidate for privacy destruction? So we've had big computing companies battling it out to be the Web Gatekeeper, and they want to go "C-Other-Give it to Facebook" ?!

    • by siddesu ( 698447 )

      Supplied by a top-5 candidate for privacy destruction?

      Naturally. Which respectable, honest and sane company that delivers a product to YOU would build their business model on the concept of letting you build Stasi-like files online for you and your friends with them?

  • by Anonymous Coward on Wednesday January 05, 2011 @02:19PM (#34768080)

    I am posting anonymously because he knows me and I know him

    Simson is brilliant and understands technology well, but he is one of those people for whom you "have to hold the bus" as another article puts it.

    He tends to get too excited about technology and he misses many of the human factor issues.

    For example here he gets all excited about using Facebook as a form of identification, but then he points out that Facebook is very quick to revoke your account. What good is identification if it can be revoked? If it really is "identification" then everyone needs to have it. Hey Simpson, did you forget about that?

    • by PCM2 ( 4486 ) on Wednesday January 05, 2011 @05:49PM (#34770890) Homepage

      Actually, it seems to me that Garfinkel is conflating identification with authentication, when the two are not the same thing.

      As other people have mentioned in this very same thread, it can be very difficult to tell anything about someone based on their Facebook profile. The classic example (with any kind of online forum) is a man masquerading as a woman, to mess with people or for whatever reason. If you can do that -- if it's really easy to do that -- then what you have is not a form of identification. It is a form of authentication -- it gets you logged onto the forum, but it doesn't really say anything about who you really are.

      A driver's license is a form of identification. The government makes you show up, in person, get your photo taken, maybe give them your thumbprint (that's two forms of biometrics, right there), maybe link the database with your Social Security number -- whatever the state has decided is necessary. It's a whole lot different than signing up for a Facebook profile.

      Where Garfinkel is getting confused is that while you do use a driver's license as a form of authentication, that's a separate thing from how you use it as a form of identification. When you show your driver's license to the guy at the door of a bar, the guy doesn't care who you are so long as the license looks valid and it says you're over 21. He's counting on the fact that the government issued you the ID -- the trust component -- to establish that you're of legal drinking age; nothing more. When you're stopped by the police, on the other hand, you absolutely are using that license as a form of identification, because the police will radio it in to make sure you really are who you say you are, and to find out some other things about you, as well.

      Facebook, as it exists today, has an opportunity to provide the authentication feature, but not the identification feature. As such, if your Facebook "ID" is revoked, it doesn't really matter. It's not like getting your passport taken away; you just lose the ability to do that form of authentication. Because nobody wants your use of their site to be governed by Facebook, every site will offer an alternative way to authenticate (username and password, or whatever). If SSO via Facebook seems to be convenient for people, they will offer that, too.

  • Yeah, right. (Score:5, Insightful)

    by Jawnn ( 445279 ) on Wednesday January 05, 2011 @02:21PM (#34768096)
    The entire user-base of the Internet actually includes a significant number of people with clue. They are not going to go for this. So, a SSO for the clueless? Maybe, but nothing approaching the "driver's license" bar for credibility.
  • by Xugumad ( 39311 ) on Wednesday January 05, 2011 @02:24PM (#34768130)

    HELL NO

    NO.

    No, no, no, no, no, NOOOOOOO NO.

    NO!!!!

    I'd argue against this, but it's just such a giant pile of fail I don't know where to start.

    How about this; like hell am I handing Facebook access to every other account I own.

    Did I mention... NO?

    • by TheL0ser ( 1955440 ) on Wednesday January 05, 2011 @02:36PM (#34768300)
      I sense apprehension. But that's ok. You'll grow to love Facebook. Everyone loves Big Br.... I mean, Facebook.
    • I have a very minimal presence on facebook. But I'm about to drop even that, as it seems half the sites I go to regularly have facebook hooks. I need to take another look at NoScript and see how "allow domain" and then removing Facebook from my whitelist works. I don't want facebook tracking me everywhere I go, and if I'm allowing their scripts by default, that's pretty likely.
  • by StillNeedMoreCoffee ( 123989 ) on Wednesday January 05, 2011 @02:26PM (#34768162)

    Did't Microsoft already try this idea, but the other social networking sites have just left them in the dust. This is almost like Microsoft's VM's . When I heard of that I said, yeh we call that time sharing and we had it in the early 70's with Mini Computers. Now that micro processors grew into that power footprint, they re-discovered an old technology. History does repeat itself in a never ending spiral. One hopes not a death one.

    • Did't Microsoft already try this idea, but the other social networking sites have just left them in the dust.

      Yes, but they did it the worst way possible.

      Require a hotmail or MSN account. Require IE and for most of the usable features. Require the site hosting openID to use IIS and .NET stuff.

      Also... It never worked.

  • There is no way it could become a necessity. Way too much moronic invasions of privacy and poorly programmed stuff.

    The idea that it might become in any way necessary is ridiculous.

    That would kind of be like some one deciding that all tolls should now be paid by text messaging. Yeah, a lot of people text while driving, but not those that know what they are doing. You don't empower an idiotic action.

  • Seriously? On what planet do you live in which anyone with even a quarter of a clue would entrust their entire authentication service to Facebook?

    You want single sign on? Its already there. Its called Kerberos, when coupled with a proper DNS setup it provides global SSO, in a secure manner, without handing it all off to one company that everyone has to depend on and everyone gets fucked when they break or get hacked.

    Browsers support Kerberos.

    Many apps (at least the ones where security actually matters) s

  • by Caerdwyn ( 829058 ) on Wednesday January 05, 2011 @02:28PM (#34768184) Journal

    This would be a very bad thing, for so many reasons.

    • One-stop shopping for identity thieves
    • Ubiquitous Facebook tracking bugs associated with login objects which would more-or-less require that browsers accept third-party cookies. You thought Doubleclick was bad? Try putting them INSIDE your login sessions.
    • Zuckerberg holds privacy in contempt. He's said so, many times.
    • Facebook has repeated violated its own privacy policy, and will do so again. Your privacy is guaranteed to be broken with Facebook.
    • Facebook has a poor security record. See previous reference to identity theft.
    • Facebook has made it as difficult as possible to get out. Leaving Scientology is easier.
    • Facebook, as a for-profit company,is incentivized to pimp out your profile to anyone, for any reason, as long as there's a dollar to be made. If their balance sheet starts to look bad, all principles (such few as they already have) will go out the window.

    I created a FaceBook account just to prevent others from doing so with my name, with no intention of using it. I never posted a thing, never "friended" anyone, never engaged in any activity whatsoever. Yet all of a sudden when I visit unrelated sites, I'm being greeted by the Facebook account name in various banners, etc. through Facebook's tracking. Deleting the account was a nightmare. I've had to use AdBlock and other anti-spyware software to block *.facebook.com, and I'm sure that even that is insufficient. Facebook has a profile on me, and you just and simply cannot opt out.

    In absolute seriousness. I'd sooner trust Ballmer or Ellison than Zuckerberg, and I'd rather not have to trust any of them.

    • I saw a video of a talk Ballmer had given about a year ago, that was linked on Slashdot. One of the things he said in there was that he and people of his generation are a lot more reluctant to give their personal information out on line, but that his son has no issue putting whatever out on facebook or twitter. The problem is, Zuckerberg is of Ballmer's son's generation (so am I, although I don't fit the mould) and has no problem asking for people's personal information.

      I think one of the reasons that MS

  • by chemicaldave ( 1776600 ) on Wednesday January 05, 2011 @02:32PM (#34768236)
    I don't know what's worse, having a web SSO service offered by a for-profit, or having one operated by the government.
    • The government's been pretty good with my Driver's License - on the other hand Facebook gave out my email from day one without permission.

    • by Kjella ( 173770 )

      If it was really to be universal SSO that you practically couldn't use the Internet without you can bet the government will have their claws in it so deep, they might as well be running it. So I'd say government run would be better, you'd still have to bend over but at least you're not getting face fucked at the same time.

  • when a site I never visited before gives me a personal welcome.

    NOT.

  • It seems obvious that this is the way Facebook has begun to position itself. It has increasingly encouraged the integration of its features with external websites while simultaneously removing features that allow external sites and applications to integrate with them (boxes and tabs). They already provide an API for sites to use Facebook logins for authentication.

    It's either rather short sighted or an extremely wise move. I'm not as concerned about Facebook as some but personally, I hope it fails.

    • by Dunbal ( 464142 ) *

      Facebook and Zuckerberg have been on a non-stop PR campaign for close to a year now. Co-incidentally this started right after the mass hacking of Facebook, and their unpopular changes to their privacy policy. While being perhaps the second most overrated company today (after Apple), I have to admit that this Zuckerberg guy can muster a pretty decent PR/marketing machine. It's been a year of non-stop Facebook, in the news, in the movies, in magazines and even here on Slashdot. Too bad that buzz like this can

  • I'm sure they dream of it (or will now), along with every other scheme/scam they've dreamed up, but it Ain't Gonna Happen.

    They're riding high right now, on top of a giant bubble. All that means is when it bursts, they have that much farther to fall, taking all their users along with them.

    One would think people would learn to stop putting all their eggs along with everyone else's into one giant basket, but I guess it speaks volumes as to the population of stupid people out there.

    • by Dunbal ( 464142 ) *

      I closed my Facebook account 3 years ago when I found out just how easy it was to hack into people's accounts - because my account got hacked. Honestly any company that has grown to that size and completely ignores security is more trouble than it's worth. I'll leave Facebook to middle aged spinsters and divorcees.

  • Academics (Score:5, Interesting)

    by Dunbal ( 464142 ) * on Wednesday January 05, 2011 @02:42PM (#34768388)

    So some academic at MIT has "re"discovered the Microsoft Passport, huh? Microsoft wanted a piece of that action over 10 years ago. It didn't work. Everything old is new again... to some people anyway.

    • by vux984 ( 928602 )

      Difference is that nobody could get everyone to sign up for a passport. As much as I despise the site, Facebook ALREADY has the critical mass Microsoft couldn't get.

      The trouble with SSO adoption is that most users would arrive at your site, and then need to visit the SSO site to create a login. Granted they'd only need to do this once, for the first SSO site they visit, but its enough of a hassle "right now" for people that it doesn't get rolled out in the first place.

      If you start with a site that has the c

  • by dkleinsc ( 563838 ) on Wednesday January 05, 2011 @02:48PM (#34768490) Homepage

    Seriously.

    It's in the final stages of a social networking site: where the investors, including some big outside investment firms, try to "monetize" the user base by pulling out all the stops with ads, apps, and selling people's personal information. All that needs to happen is some plucky college kid making his own social networking site, just for his friends on campus, as a way to stay away from all the sillyness of Facebook, and Facebook will collapse within a couple of years. Just like MySpace did.

    • No way, Facebook is on top forever because they've changed the way people...uh...hell, I don't know why it is that people think facebook is different from every other come-and-gone website of the moment.

      The dotcom market has seen this same behavior again and again, and everyone seems to get surprised by it every time. People time and again seem to think whatever is popular at the moment is going to be popular forever, even though history and common sense both tell us otherwise.

      In the sage words of Di
  • It's called OpenID, http://www.openid.net./ [www.openid.net] move along, nothing to see here.
    • Hasn't OpenID already flopped from a lack of market demand? Can I login to Amazon with it? How about Google? How about Facebook?
    • by DragonWriter ( 970822 ) on Wednesday January 05, 2011 @03:19PM (#34768996)

      It's called OpenID, http://www.openid.net./ [www.openid.net] [www.openid.net] move along, nothing to see here.

      The problem with OpenID is that, while lots of big sites will let you use your account with that site as an OpenID (acting as OpenID providers), fewer actually accept foreign OpenID for logon.

      Everyone wants their accounts to be the web's single-sign-on, but almost no one big wants to accept sign-ons from elsewhere.

  • by Chas ( 5144 ) on Wednesday January 05, 2011 @03:02PM (#34768724) Homepage Journal

    How about "My Ass!"

    Or "What's dumbshit for "HELL FUCKING NO" you asshole?"

    Or "What kinda goddamn drugs are YOU on?"

    Seriously. What sort of intellectual cripple actually thinks (and I use the term forgivingly) using a known privacy offender and security whipping boy like Facebook as a single-sign-on?

    Fuck Single Sign-On. It's single point of failure.

  • Next question?
    For the record, I do not have a Facebook account.
  • by Haedrian ( 1676506 ) on Wednesday January 05, 2011 @03:22PM (#34769036)

    Using Facebook as a SSO. I can nick someone's session cookie if he's on my same network - and yet we can trust the same company which is there to sell your profile information - with out important logins?

    Right..

  • Really. They can offer this as a service and all the "Internet" that matters to FB-users will use it anyway, safe or not safe.

  • I swear its getting to the point where I think I should roll an alt identity and only access my facebook from my phone.
  • Unless we hit Peak Facebook

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...