A quick note, related to my last post, regarding user authentication and identification. The Verge has a piece today about Google joining an industry work group to find a replacement to the password. I looked into FIDO, the group Google joined, and I think my system may be the more robust, secure, and convenient for user authentication and identification than what has currently been proposed, but I'm just one guy. If you are interested you can check out The Verge article, or just check out the link below that links directly to the source.
FIDO (Fast IDentity Online) Alliance
24 April, 2013
17 April, 2013
A Theoretical Single Sign On System
Recently on Google+ I got into a conversation with +Andy Kinsey about Single Sign On (SSO). That got me thinking... If I were to create a "prefect" SSO system what would it entail? Since I'm not a developer --in any way-- all I can do is theorize; but hey that might get the ball rolling.
Note: I started writing what I intended to be this blog post, but two days later I ended up with a five page white paper on a SSO System. Though some may really enjoy reading long form articles, for this post I'll just summarize. Once I've finished the white paper, I'll include a link to it in an update.
Quick glossary entry: Single Sign On (SSO) is an authentication information system that allows multiple separate services share a single credential token. Simply said, one password to rule them all. ;-) Or rather, one username/password combo that can login to multiple sites from different services. SSO can be used in a couple of different ways; one way as I've just mentioned, one login for multiple sites. It can also be used as one session to multiple connected services; such as you login to your computer and now can access your email, corporate intranet, and file server without having to login again. For this article I'll be focusing on the first use, one username/password for multiple sites from different providers.
At the very core, most SSO systems follow the flow chart above. One of the most common SSO system is +OpenID Foundation's OpenID. You can sign up with any Provider, enter various bits of information about yourself, and when you go to a site that supports OpenID, you enter your OpenID username and go. You'll be directed to your Providers verification page where you sign in, and then back to the site you started from but now you are logged in. Though you can prove with this system that you are the owner of the OpenID, by logging in with the Provider, there is no way to prove your real identity. Plus OpenID wont secure your information and communications, they just help you login.
Recently the US Government has put together a government and private sector consortium on creating a SSO system that will provide quick and easy login, like OpenID, but also provide a way to verify identity. With those key points they are getting closer, but still don't provide the complete package.
To have a "perfect" SSO, the system would need: an access mechanism, a way to verify the user's identity, and provide enhanced security. The answer is quite simple: OpenID + multi-factor authentication + PGP.
In my white paper I go in greater detail about how it would all work and what is needed but simply put, if you were to have an OpenID account and one of the things you stored in that account was a PGP encryption public key, and require the user to provide more than a username and password you have the makings of something quite secure.
Just with multi-factor authentication the security level steps up when you require 2 or 3 different authentication factors. Add in an encryption key that can, 1. secure your data, but more importantly 2. allow for a mechanism to prove your identity, and now the system is complete. I'm honestly surprised that no one has done this yet.
OpenID has the access request mechanism down, and a couple of providers have even added one of the other two requirements for a complete solution on top of it, but no one has done all three.
Symantec's Personal Identity Portal is an OpenID provider that couples it with a smartphone authenticator app.
StarCom offers free/low-cost SSL certificates (S/MIME) which can be used to verify identity, and they to are an OpenID provider as well, but they stop there and don't complete the package.
If anyone knows of a solution that does provide the whole package, or a developer who wants to work for free for me to create it (then make royalties after it goes to market) then let me know in the comments.
Note: I started writing what I intended to be this blog post, but two days later I ended up with a five page white paper on a SSO System. Though some may really enjoy reading long form articles, for this post I'll just summarize. Once I've finished the white paper, I'll include a link to it in an update.
Quick glossary entry: Single Sign On (SSO) is an authentication information system that allows multiple separate services share a single credential token. Simply said, one password to rule them all. ;-) Or rather, one username/password combo that can login to multiple sites from different services. SSO can be used in a couple of different ways; one way as I've just mentioned, one login for multiple sites. It can also be used as one session to multiple connected services; such as you login to your computer and now can access your email, corporate intranet, and file server without having to login again. For this article I'll be focusing on the first use, one username/password for multiple sites from different providers.
 |
| SSO authentication flow chart |
At the very core, most SSO systems follow the flow chart above. One of the most common SSO system is +OpenID Foundation's OpenID. You can sign up with any Provider, enter various bits of information about yourself, and when you go to a site that supports OpenID, you enter your OpenID username and go. You'll be directed to your Providers verification page where you sign in, and then back to the site you started from but now you are logged in. Though you can prove with this system that you are the owner of the OpenID, by logging in with the Provider, there is no way to prove your real identity. Plus OpenID wont secure your information and communications, they just help you login.
Recently the US Government has put together a government and private sector consortium on creating a SSO system that will provide quick and easy login, like OpenID, but also provide a way to verify identity. With those key points they are getting closer, but still don't provide the complete package.
To have a "perfect" SSO, the system would need: an access mechanism, a way to verify the user's identity, and provide enhanced security. The answer is quite simple: OpenID + multi-factor authentication + PGP.
In my white paper I go in greater detail about how it would all work and what is needed but simply put, if you were to have an OpenID account and one of the things you stored in that account was a PGP encryption public key, and require the user to provide more than a username and password you have the makings of something quite secure.
Just with multi-factor authentication the security level steps up when you require 2 or 3 different authentication factors. Add in an encryption key that can, 1. secure your data, but more importantly 2. allow for a mechanism to prove your identity, and now the system is complete. I'm honestly surprised that no one has done this yet.
OpenID has the access request mechanism down, and a couple of providers have even added one of the other two requirements for a complete solution on top of it, but no one has done all three.
Symantec's Personal Identity Portal is an OpenID provider that couples it with a smartphone authenticator app.
StarCom offers free/low-cost SSL certificates (S/MIME) which can be used to verify identity, and they to are an OpenID provider as well, but they stop there and don't complete the package.
If anyone knows of a solution that does provide the whole package, or a developer who wants to work for free for me to create it (then make royalties after it goes to market) then let me know in the comments.
Subscribe to:
Posts (Atom)