[OSM-dev] User authentication/Single sign on
David Earl
david at frankieandshadow.com
Sun Nov 30 13:45:39 GMT 2008
On 30/11/2008 13:21, Sven Anders wrote:
> Am Samstag, 29. November 2008 17:21 schrieb David Earl:
>> (b) that it was incredibly slow. ...
>
> Can you say it in seconds not in words?
> "especially slow" is very diferent from user, to user.
It's hard to quantify it because it varies depending on provider. (Last
night it was "infinity" as my provider was down, which locked me out of
my own website!).
But it can be 30-60 seconds before you get to the point of being able to
enter your password, which compared with 0 it the box for the password
is in front of you for a conventional login is a very long time.
Emailtoid seems to take up to an hour to send the verification email.
>> OpenID is a nice idea, but the advantage of a cross site login is lost
>> in the overhead of using it in my experience.
>
> I use OpenID everywhere where I can, it it is for me no overhead, but I good
> way not know much passwords..
I use PasswordSafe for this.
>> The biggest criticism of openID is the vulnerability of users to
>> identity theft: a user can be phished by an unscrupulous site into
>> entering their login details at a site which looks like their openID
>> provider but isn't, and therefore lose their password - which of course
>> gives the intruder access to not one but a wealth of sites used by the
>> victim.
>
> But if it isn't there will be a other URL displayed in the browser window.
Not necessarily. And people who get fooled don't know what they are
looking at in the address bar - it is gibberish as far as they are
concerned. It's naive users who need the protection not people like us
who know what we're doing.
> One the other hand,
> *there are plans to implement OpenID in your Operating System.
> *you can use browser TLS certificates to login to OpenID. This is safer than
> my Online Banking at the moment.
But the people who would get fooled are exactly the people who wouldn't
understand what that means or what to do. They'll just blindly use
Yahoo. So it has to do this by default.
>
>> So on balance I think I'd say don't bother - just re-register with the
>> same name and password at the partner site.
>
> And if one site is hacked, everybody would know your password and can login to
> every site :-(
Of course I wouldn't recommend that in general. But we were talking
about a group of related sites.
> I would like a solution where the user can choose, if he wants to use single
> signon (with overhead) or not (and must register and know passwords on and
> on).
That is indeed a common way of approaching the problem - indeed one of
the first articles referenced on OpenIDs developer site is how to do
this (equating multiple openID identities with a site login).
But having tried it, I'm not personally prepared to wait up to a minute
for my login to happen so until it becomes a viable solution, I'll stick
with password safe, where I just press a button to get me logged in.
Don't get me wrong, I think it has real potential. But at the moment it
is only at "early adopter" level of usability IMO. No doubt it will
improve. At present the phishing vulnerability makes the heavyweight
encryption and security in the protocol look rather silly - it's like
putting massive locks on your door, but opening it to anyone who knocks.
David
More information about the dev
mailing list