Skip to page content or Skip to Accesskey List.

Work

Main Page Content

We Need A Different Single Sign On Solution

Posted on 12 Apr 2002

in Commentary & Society

by Matt Liotta (DevilM)

Rated 3.88 (Ratings: 8)

Want more?

 
Picture of DevilM

Matt Liotta

Member info

User since: 11 Mar 2002

Articles written: 6

I have been talking about what is wrong with single sign-on (SSO) solutions for a while apparently to no avail as more and more vendors role out new solutions based on the same flawed model. This seems to indicate that maybe Microsoft is correct; maybe people do want SSO. That is the ability to login to a single place, but be authenticated at multiple.

Convenient, but is it secure?

Certainly SSO is more convenient, but at what cost? Do you want Microsoft to know every web site you login into? Before answering that, realize that Passport isn’t the only game in town. The liberty alliance started by Sun plans to offer an alternative to Passport. However, the same question comes to mind, do you want Sun or whoever is part of the liberty alliance to know every web site you login into?

And it's not just your privacy at risk, it's your identity as well. Just think, if Passport allows you to log into a single place to identify yourself for all its participating services, then your Passport account is your identity. If someone else breaks into your Passport account, he or she can now access any of the participating services as YOU.

I guess I accepted a long time ago the need to remember multiple usernames and passwords. For me it was never a question of my privacy or my identity, it was simply the way the world worked. Unfortunately, it would appear that too many others want the convenience of a SSO solution. If the technology exists to offer a SSO solution, so that remembering multiple usernames and passwords is outdated, why can’t I have a solution that protects my privacy and my identity?

A Single Sign On Solution?

In the spirit of the geek ethic, let me propose a solution to the problem I have pointed out. It seems to me that I would be less concerned about my privacy and better equipped to protect my identity if the central service I logged onto was on my local machine.

In fact, the OS on my machine, Mac OS X, already has something close called the keychain. It allows me to store multiple usernames and passwords in a local database securely. I am already able to use this keychain to automatically login me into certain web sites that use HTTP authentication.

Unfortunately, most web sites do not use HTTP authentication. Most web sites simply serve an HTML form to their users that contain fields for their username and password. After submitting the form, the user is then given some piece of data to uniquely identify their authenticated session often in the form of a cookie.

Solution Dependencies

Now if someone would publish some sort of specialized API for my keychain and a web site to exchange authentication information than I could have my solution. I would login into my machine and my keychain would take care of logging me into whatever remote services I wanted to use that supported this specialized API I am proposing. These remote services don’t even have to be web sites. I already use my keychain to automatically log me into my various POP3 accounts.

This local keychain solution would seem to solve both of my issues with Passport and the like. It protects my privacy because it is my local machine logging into these remote services not some company’s server acting on my behalf. Further, it protects my identity in that someone would have to log into my local machine in order to access my keychain. And, I feel pretty confident that I can protect my local machine from people who shouldn’t be logging into my machine under my account.

There is one problem with this proposed solution however. If I don’t have access to my local machine than I can’t use the keychain. If I wanted to use my keychain for example on some web terminal at the airport for instance I would be out of luck. A possible answer may be found in Sony’s Memory Stick® technology. What if I stored my keychain on a Memory Stick? I could then take my keychain with me wherever I go maybe even attached to my actual keychain.

Likely there are smarter people than me who can come up with a better solution. However, I have yet to see a published solution that offers the convenience of SSO, while still protecting my privacy and my identity.

Bottom-line: Passport does more harm than good and we need a different SSO solution.

Matt Liotta started his development career at the age of twelve by building C applications for faculty at Emory University. He built his first web page soon after the release of Mosaic 1.0. Excited by early web applications, Matt saw the potential to replace legacy client server applications. At Emory University he built an enterprise calendaring system, the faculty poster project, a Y2K compliance tracking application, and a prototype for an electronic research administration system.

Since then he worked with an early ASP, Cignify, to build their transaction processing system for payroll time data. For this project, Matt created a message queuing system to connect significant bodies of code in C++ and VB with the main application server. He also built a code distribution system for Consumer Financial Networks, as well as the first online account management system for Grizzard Communications. Matt did consulting around San Francisco for companies such as Williams Sonoma and Yipes Communications.

Soon after, he built gMoney's Group Transaction System using an innovative XML messaging architecture for ColdFusion that matches conceptually with the now popular web services paradigm. He also wrote a C++ knapsack algorithm to realize nearly a 20-fold improvement over a similar approach written entirely in CFML. Later at TeamToolz, he designed a highly secure and scalable network architecture for ColdFusion to support N-tier transport agnostic distributed applications. He then went on to implement a cutting-edge content management system for DevX. He is now President & CEO of Montara Software, which he recently founded.

Matt is also a frequent speaker on web architecture:

  • Moving Legacy Applications to the Web (Emory Web Developers Users Group, Atlanta --Feb, 98)
  • The Benefits of Web-based Enterprise Calendaring (Emory Web Developers Users Group, Atlanta -- Aug, 98)
  • Monitoring and Managing Services Remotely Using TAPI (Atlanta Visual Basic Users Group, Atlanta -- Nov, 99)
  • Scalable, Extensible Cold Fusion Architecture (Bay Area ColdFusion Users’ Group, San Francisco; Aug, 00)
  • Scalable, Extensible Cold Fusion Architecture II (CF_Scale Conference, Washington, D.C. -- Nov, 00)
  • Cold Fusion Scalability Panel (CF_Scale Conference, Washington D.C. -- Nov, 00)
  • Introducing CF Espresso (including white paper) (CF_South Conference, Orlando -- Feb, 01)
  • Utilizing Reverse Proxies (Web Services World, San Jose -- Apr, 01)
  • Cold Fusion on Linux (A CF Odyssey Conference, Washington, D.C. -- Jun 01)
  • Architecting Web Services (Web Show 2001, San Francisco -- Sep, 01)
  • Code Techniques in MX Panel (Bay Area ColdFusion Users' Group, San Francisco -- Jul, 02)
  • ColdFusion Cruise, May, 03

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.org Evolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.