[OSM-dev] User authentication/Single sign on

David Earl david at frankieandshadow.com
Sun Nov 30 13:45:39 GMT 2008


On 30/11/2008 13:21, Sven Anders wrote:
> Am Samstag, 29. November 2008 17:21 schrieb David Earl:
>> (b) that it was incredibly slow. ...
> 
> Can you say it in seconds not in words?
> "especially slow" is very diferent from user, to user.

It's hard to quantify it because it varies depending on provider. (Last 
night it was "infinity" as my provider was down, which locked me out of 
my own website!).

But it can be 30-60 seconds before you get to the point of being able to 
enter your password, which compared with 0 it the box for the password 
is in front of you for a conventional login is a very long time.

Emailtoid seems to take up to an hour to send the verification email.

>> OpenID is a nice idea, but the advantage of a cross site login is lost
>> in the overhead of using it in my experience.
> 
> I use OpenID everywhere where I can, it it is for me no overhead, but I good 
> way not know much passwords..

I use PasswordSafe for this.

>> The biggest criticism of openID is the vulnerability of users to
>> identity theft: a user can be phished by an unscrupulous site into
>> entering their login details at a site which looks like their openID
>> provider but isn't, and therefore lose their password - which of course
>> gives the intruder access to not one but a wealth of sites used by the
>> victim.
> 
> But if it isn't there will be a other URL displayed in the browser window.

Not necessarily. And people who get fooled don't know what they are 
looking at in the address bar - it is gibberish as far as they are 
concerned. It's naive users who need the protection not people like us 
who know what we're doing.

> One the other hand, 
> *there are plans to implement OpenID in your Operating System. 
> *you can use browser TLS certificates to login to OpenID. This is safer than 
> my Online Banking at the moment.

But the people who would get fooled are exactly the people who wouldn't 
understand what that means or what to do. They'll just blindly use 
Yahoo. So it has to do this by default.

> 
>> So on balance I think I'd say don't bother - just re-register with the
>> same name and password at the partner site.
> 
> And if one site is hacked, everybody would know your password and can login to 
> every site :-(

Of course I wouldn't recommend that in general. But we were talking 
about a group of related sites.

> I would like a solution where the user can choose, if he wants to use single 
> signon (with overhead) or not (and must register and know passwords on and 
> on).

That is indeed a common way of approaching the problem - indeed one of 
the first articles referenced on OpenIDs developer site is how to do 
this (equating multiple openID identities with a site login).

But having tried it, I'm not personally prepared to wait up to a minute 
for my login to happen so until it becomes a viable solution, I'll stick 
with password safe, where I just press a button to get me logged in.

Don't get me wrong, I think it has real potential. But at the moment it 
is only at "early adopter" level of usability IMO. No doubt it will 
improve. At present the phishing vulnerability makes the heavyweight 
encryption and security in the protocol look rather silly - it's like 
putting massive locks on your door, but opening it to anyone who knocks.

David





More information about the dev mailing list