Can Internet SSO Really Help?

03 Sep 2008

What does Internet Single Sign-On systems really solve? Is all this upset (caused especially by OpenID) good for anything? Let's summarize the benefits and drawbacks:

• Benefit: I do not need to remember many passwords. I just long in once and then any site I'll visit will recognize me.
• Drawback: My OpenID provider may not be recognized by all relying parties. Even if the situation now is in the naive state that everybody "trusts" everybody, it cannot be sustained. The providers will differentiate. Therefore I will need to maintain several accounts with several identity providers anyway.
• Benefit: Still better to have several accounts than thousands of them.
• Drawback: Even if I have SSO, I still need to click on "log me in using OpenID" link on a target site. Therefore the user experience is still the same as having a browser remember the password for me. And the browser still needs to remember your OpenID URL to have it "one click" experience.
• Improvement: This can be improved by some kind of identity provider auto-discovery and automatically log the user in. However, there are dangers ...
• Drawback: If a website can make my browser to automatically log me in, the same thing can be done by a script running in my browser. The impact of cross-site scripting exploits will get worse. Much worse. If my back would accept OpenID-based SSO with an option for automatic login, clever attacker can take all my money and I will not even notice that it happened. Phishing may get to the next level ... maybe we will get "phishing trawlers"?
• Benefit: Some SSO systems may transfer attributes from identity provider to relying party. That may be useful. I will not need to always make sure that my billing address that is remembered by an electronic shop is correct. I will not need to always look up my ZIP number (as I cannot remember it). That can be a real benefit.

My assessment is that Web SSO systems that just do SSO are useless. Absolutely useless. Dangerous even. I think that for this stuff to work reliably and securely the browser needs to understand the security protocols. The browser needs to present appropriate user interface, such interface that cannot be feinted by a script. And most of all: the SSO itself is a next-to-none benefit for users. Add attributes to that and it may gain some attractiveness.

Do not take this as an endorsement of CardSpace. While CardSpace may solve some of the above issues, it has its own set of problems. But I will keep that for later.