Single Sign-Onto Everything: The Challenge

Author: Clayton Locke

SSO has never really taken off online in the way that people expected, but given many companies’ failure to provide secure authentication it’s time to look again at Single Sign-On.  New secure SSO technology will make managing your web identity safer and easier.

Last month I wrote about computer security’s password problem and the urgent need to move to more secure and more usable methods of authentication.  The old user-id and password method of establishing identity does not get the job done of protecting personal information.  It is too easy to hack, and the current thinking that making the password longer, with upper and lower case letters, numbers and whatever else – is a very poor solution to the problem.

The password problem is part of a much bigger issue with the way that online systems deal with authentication and establishing identity. Think of all of the companies that ask for a password, of all the development teams that are cutting essentially the same code to do a proper authentication check – all working to solve the same problem and coming up with different degrees of success in their solution.

Organisations are routinely reinventing the wheel when it comes to securely authenticating users.  Everyone is doing the same thing, writing the same code, solving the same problem with the same poor solution.  The cost of this redundancy would be difficult to overestimate, there is a major waste and huge variations in quality. Our methods of authentication seem stuck in the dark ages of computing.  Whilst every other aspect of computing is rapidly migrating to the Cloud, authentication isn’t. Why not?

Meanwhile the need for us to operate online with a consistent, accountable identity is increasing apace. Social networks are finally waking up to the damage that anonymous users can do, governments are trying to cut costs by moving critical services online and financial services organisations are looking to digitise and reduce friction wherever they can.

That confluence of issues will not be solved by more of the same.

What’s wrong with authentication?

Studies by Microsoft Research in 2007 and by a NorSIS in 2012 indicate that on average people have to remember passwords for about 25 different systems.

That presents a problem for users. Very few people would memorise 25 different passwords – many people will use just one password or a derivative of that password, for everything.  Given the variety of solutions to authentication, the systems that require all of these passwords will almost certainly process and store those passwords separately and in different ways.

Password handling and storage is implemented and re-implemented across billions of websites and apps with staggering duplication of effort and enormous variations in usability, performance and security.

In 2014 Microsoft Research looked at the current state of website password handling by examining recent breaches at Rockyou, Gawker, Tianya, eHarmony, LinkedIn, Evernote, Adobe and Cupid Media. The passwords that were exposed in these security incidents revealed that only two of those companies were storing passwords correctly.

What makes that so surprising, is that there isn’t really any debate about the right way to do it so it.  We see everything from a clear text storage of passwords, to data encryption — where best practice would tell you that the password should be salted with a long and random set of characters then passed through a computationally expensive one-way hash, preferably in an HSM, before it’s stored.

The fact that best practice is not being adhered to even in well-funded technology companies full of smart people means that the small number of passwords that people actually use to prove their identity can be hacked. One of the 25 companies storing the password will be vulnerable, and once a hacker has cracked that weak company he has the key to everything – and from there he can steal identity.

It’s time to look at single sign-on again

The Internet has driven tremendous centralisation, virtualisation and abstraction of computing and seemingly everything is moving to the Cloud – so why not authentication?

A single sign-on system could improve both usability and security. Users could authenticate once to many systems and focus on a maintaining a single, strong password whilst organisations could lower costs, reduce risk and access the best achievable security.

Both users and organisations would benefit from a system that could be upgraded easily and adapted to meet emerging threats with things like new authentication factors or improved key derivation functions.

In the early 2000s Microsoft tried to market its Microsoft Passport as a single sign-on system for the web. It came along when anti-trust lawsuits and the terrible security record of Internet Explorer and IIS were still fresh in people’s minds and so it never took off.

Facebook and Twitter have emerged as de-facto SSO providers by allowing sites to use their authentication systems.  OpenID is a purpose built single sign-on solution that holds real promise.

Perhaps most significantly we are now seeing the emergence of technologies like FIDO (Fast IDentity Online) that can offer the benefits of Single Sign-on without creating a central repository of highly sensitive data.

The Universal Authentication Framework (from FIDO) is an example of how we can eliminate the redundancy in the overall security code base.  It provides a best-practice method for securely authenticating – why not re-use it?  It represents an important component of a better solution than multiple passwords – but perhaps not the whole solution.  This must also include something we could call Universal Identity Management.  More on this later.

20 Jul 2015

Author: Clayton Locke

SSO has never really taken off online in the way that people expected, but given many companies’ failure to provide secure authentication it’s time to look again at Single Sign-On.  New secure SSO technology will make managing your web identity safer and easier.

Last month I wrote about computer security’s password problem and the urgent need to move to more secure and more usable methods of authentication.  The old user-id and password method of establishing identity does not get the job done of protecting personal information.  It is too easy to hack, and the current thinking that making the password longer, with upper and lower case letters, numbers and whatever else – is a very poor solution to the problem.

The password problem is part of a much bigger issue with the way that online systems deal with authentication and establishing identity. Think of all of the companies that ask for a password, of all the development teams that are cutting essentially the same code to do a proper authentication check – all working to solve the same problem and coming up with different degrees of success in their solution.

Organisations are routinely reinventing the wheel when it comes to securely authenticating users.  Everyone is doing the same thing, writing the same code, solving the same problem with the same poor solution.  The cost of this redundancy would be difficult to overestimate, there is a major waste and huge variations in quality. Our methods of authentication seem stuck in the dark ages of computing.  Whilst every other aspect of computing is rapidly migrating to the Cloud, authentication isn’t. Why not?

Meanwhile the need for us to operate online with a consistent, accountable identity is increasing apace. Social networks are finally waking up to the damage that anonymous users can do, governments are trying to cut costs by moving critical services online and financial services organisations are looking to digitise and reduce friction wherever they can.

That confluence of issues will not be solved by more of the same.

What’s wrong with authentication?

Studies by Microsoft Research in 2007 and by a NorSIS in 2012 indicate that on average people have to remember passwords for about 25 different systems.

That presents a problem for users. Very few people would memorise 25 different passwords – many people will use just one password or a derivative of that password, for everything.  Given the variety of solutions to authentication, the systems that require all of these passwords will almost certainly process and store those passwords separately and in different ways.

Password handling and storage is implemented and re-implemented across billions of websites and apps with staggering duplication of effort and enormous variations in usability, performance and security.

In 2014 Microsoft Research looked at the current state of website password handling by examining recent breaches at Rockyou, Gawker, Tianya, eHarmony, LinkedIn, Evernote, Adobe and Cupid Media. The passwords that were exposed in these security incidents revealed that only two of those companies were storing passwords correctly.

What makes that so surprising, is that there isn’t really any debate about the right way to do it so it.  We see everything from a clear text storage of passwords, to data encryption — where best practice would tell you that the password should be salted with a long and random set of characters then passed through a computationally expensive one-way hash, preferably in an HSM, before it’s stored.

The fact that best practice is not being adhered to even in well-funded technology companies full of smart people means that the small number of passwords that people actually use to prove their identity can be hacked. One of the 25 companies storing the password will be vulnerable, and once a hacker has cracked that weak company he has the key to everything – and from there he can steal identity.

It’s time to look at single sign-on again

The Internet has driven tremendous centralisation, virtualisation and abstraction of computing and seemingly everything is moving to the Cloud – so why not authentication?

A single sign-on system could improve both usability and security. Users could authenticate once to many systems and focus on a maintaining a single, strong password whilst organisations could lower costs, reduce risk and access the best achievable security.

Both users and organisations would benefit from a system that could be upgraded easily and adapted to meet emerging threats with things like new authentication factors or improved key derivation functions.

In the early 2000s Microsoft tried to market its Microsoft Passport as a single sign-on system for the web. It came along when anti-trust lawsuits and the terrible security record of Internet Explorer and IIS were still fresh in people’s minds and so it never took off.

Facebook and Twitter have emerged as de-facto SSO providers by allowing sites to use their authentication systems.  OpenID is a purpose built single sign-on solution that holds real promise.

Perhaps most significantly we are now seeing the emergence of technologies like FIDO (Fast IDentity Online) that can offer the benefits of Single Sign-on without creating a central repository of highly sensitive data.

The Universal Authentication Framework (from FIDO) is an example of how we can eliminate the redundancy in the overall security code base.  It provides a best-practice method for securely authenticating – why not re-use it?  It represents an important component of a better solution than multiple passwords – but perhaps not the whole solution.  This must also include something we could call Universal Identity Management.  More on this later.