I have been talking about what is wrong with single sign-on (SSO) solutions for a while apparently to no avail as more and more vendors role out new solutions based on the same flawed model. This seems to indicate that maybe Microsoft is correct; maybe people do want SSO. That is the ability to login to a single place, but be authenticated at multiple.

Convenient, but is it secure?

Certainly SSO is more convenient, but at what cost? Do you want Microsoft to know every web site you login into? Before answering that, realize that Passport isn’t the only game in town. The liberty alliance started by Sun plans to offer an alternative to Passport. However, the same question comes to mind, do you want Sun or whoever is part of the liberty alliance to know every web site you login into?

And it's not just your privacy at risk, it's your identity as well. Just think, if Passport allows you to log into a single place to identify yourself for all its participating services, then your Passport account is your identity. If someone else breaks into your Passport account, he or she can now access any of the participating services as YOU.

I guess I accepted a long time ago the need to remember multiple usernames and passwords. For me it was never a question of my privacy or my identity, it was simply the way the world worked. Unfortunately, it would appear that too many others want the convenience of a SSO solution. If the technology exists to offer a SSO solution, so that remembering multiple usernames and passwords is outdated, why can’t I have a solution that protects my privacy and my identity?

A Single Sign On Solution?

In the spirit of the geek ethic, let me propose a solution to the problem I have pointed out. It seems to me that I would be less concerned about my privacy and better equipped to protect my identity if the central service I logged onto was on my local machine.

In fact, the OS on my machine, Mac OS X, already has something close called the keychain. It allows me to store multiple usernames and passwords in a local database securely. I am already able to use this keychain to automatically login me into certain web sites that use HTTP authentication.

Unfortunately, most web sites do not use HTTP authentication. Most web sites simply serve an HTML form to their users that contain fields for their username and password. After submitting the form, the user is then given some piece of data to uniquely identify their authenticated session often in the form of a cookie.

Solution Dependencies

Now if someone would publish some sort of specialized API for my keychain and a web site to exchange authentication information than I could have my solution. I would login into my machine and my keychain would take care of logging me into whatever remote services I wanted to use that supported this specialized API I am proposing. These remote services don’t even have to be web sites. I already use my keychain to automatically log me into my various POP3 accounts.

This local keychain solution would seem to solve both of my issues with Passport and the like. It protects my privacy because it is my local machine logging into these remote services not some company’s server acting on my behalf. Further, it protects my identity in that someone would have to log into my local machine in order to access my keychain. And, I feel pretty confident that I can protect my local machine from people who shouldn’t be logging into my machine under my account.

There is one problem with this proposed solution however. If I don’t have access to my local machine than I can’t use the keychain. If I wanted to use my keychain for example on some web terminal at the airport for instance I would be out of luck. A possible answer may be found in Sony’s Memory Stick® technology. What if I stored my keychain on a Memory Stick? I could then take my keychain with me wherever I go maybe even attached to my actual keychain.

Likely there are smarter people than me who can come up with a better solution. However, I have yet to see a published solution that offers the convenience of SSO, while still protecting my privacy and my identity.

Bottom-line: Passport does more harm than good and we need a different SSO solution.