Orcmid's Lair
Orcmid's Lair
status 
privacy 
 
about 
contact 

Welcome to Orcmid's Lair, the playground for family connections, pastimes, and scholarly vocation -- the collected professional and recreational work of Dennis E. Hamilton

This page is powered by Blogger. Isn't yours?

Recent Items
 
Shared Identity Surprises - How Not To Do Single Sign-On
 
Congratulations ODF, OSI Draft International Standard 26300
 
Weight Loss and the Cravings
 
Party on the 10 island! Aftermath
 
Party on the 10 island!
 
Tom Clancy's Jack Ryan Novels
 
Serious Camp Fu 2.0
 
Happy Birthday, Ted
 
We have a great future behind us
 
DRM as Destroyer of Markets

2006-05-09

Shared Identity Surprises - How Not To Do Single Sign-On

Morale-O-Meter.  Boris Mann left an interesting comment at my post on Weight Loss and the Cravings.  Looking at the Morale-O-Meter, I thought it would be useful to track my own caffeine reduction, sleep patterns, and general well-being using that gadget.  It would be something more concrete than the even-more-subjective notes I share with my vitality buddy.  I’m willing to ignore the problem of putting apples, oranges, and morale metrics(?) on the same chart, since my interest is personal and normalized metrics don’t matter to me.  I can handle the need for interpretation — it’s my personal data.  It was something else that stopped me in my tracks.

{tags: Identity Stealthy Sign-On Sign-On Sharing SSO IIW2006 orcmid}

The Morale-O-Meter site (http://morale.erikbenson.com/) accepts my 43 Things (http://www.43things.com/) logon.  What’s with that, and who gave them permission to share my sign-on with a different site?

It is not difficult to determine that Erik Benson is affiliated with the 43 Things team.  But Morale-O-Meter is not offered as a 43 Things service.  I certainly was never aware that my chosen 43 Things sign-on would be shared with other sites.  

I choose unique passwords for different sign-ons, so there is not much that can be compromised here — I am an inactive 43 Things participant.  It’s also the case that if I had been using a 1.5–factor password generator (that uses the site’s domain name plus a secret that never leaves my possession to generate site-specific passwords), I would not know my 43 Things password nor could I reconstruct it for logging onto Erik Benson’s site.  Based on conversations at IIW2006, this technique of generating unique passwords based on a private secret is going to become very popular along with Microsoft InfoCards, Higgins, and other 2.0–fu digital-identity regimes.

It may be that my participation in the just-concluded Internet Identity Workshop 2006 (now IIW2006a) has sensitized me to these situations.  I’d like to think that my inappropriate-use-of-authenticators radar would have screeched either way.  In any case, I decided to dig in and see what I could do to resist this encroachment on an identification that I thought to be strongly localized. 

I pop over to 43 Things to see what I can do to cripple my account.  Surprise, surprise: My last five posts to Flickr are sitting in the sidebar of my profile page.  Holy smokes!  I’ve only used Flickr for less than two weeks and I last used 43 Things so long ago that my Media Center PC (purchased in September) has no cookie for it.  I remember when the 43 Things crew was excited to have created some kind of Flickr association, but I had no reason to pay attention back then.  Now I’m startled that they have matched my Flickr posts to my 43 Things account.

Fortunately, there is a “Close My Account” link on 43 Things, and I just went through the procedure.  I got an “Oops, That Didn’t Work …” page at the end, but my account is indeed closed (that is, I can’t log in any longer and I can’t find my previous user-profile page).  I had to be willing to blow away all of my posts and links on 43 Things.  I also missed the opportunity to see if a 43 Things cookie would have gotten onto Erik Benson’s site without having to re-authenticate.  Too late now.  So be it.

This is not the first time I have been derailed by sign-on sharing.  I use MSDN blogs and sites a great deal, and I am always a little startled when my particulars are remembered on comment forms where I don’t recall ever commenting before.   I figure this is about cookies (with a little Microsoft Passport seasoning) and I don’t mind it, since it is for a narrow usage.

On the other hand, I didn’t realize that different blogging systems also do this.  There, I thought I was creating a weak authenticated identification by registering to an individual blog.  I did not think of myself as creating a shared identification with neither the blog hosting company nor the blogging-software company.  These are cookie-based arrangements too, and I’m willing to accept that convenience since there is no secret involved and it provides consistent identity.  The risk of having my blog visitation and commenting patterns tracked is not of great concern to me in this particular context.

[There are other uses of cookies that I am quite irritated about.  Same technology but different use cases, and I’ll rant about that another time.]

 
Comments:
 
I'm still in the mode of "don't worry, be happy". That is, I'm *glad* that Erik isn't storing my account details somewhere, but rather just making use of existing account credentials.

This will seem spooky to lots of people.

It's not clear to me from your post what you got upset about? Technically, all your data remains with your 43things acct, not on Erik's server.

I'm hoping I didn't stick a fork in Erik's cool little project. Because I think there is where the issue is. A big disclaimer "we're going to use your profile on any of our member sites". It's not quite user centric enough perhaps?

In any case, I think this is a good discussion starter.
 
 
Thanks Boris, your comment reminded me that I had failed to check something. I've now reviewed the source code of Erik's page and the problem is that it looks like SSO but it isn't. My 43 Things user ID and Password are posted over a clear connection to a subdirectory of Erik's domain name. I don't need to know more.

Now, I had no idea who I was dealing with on that site (forgetting that I have probably communicated with Erik in the early days of 43 Things which I only figured out by finding and reading Erik's blog), and I have no basis for assuming an existing relationship. Transitivity doesn't work for me in this instance.

This is probably a nice little case study for the Seven Laws of Identity.

I'd prefer to have a unique identification and authentication with Erik, if it is necessary to have password authentication at all.

Instead, I no longer have a 43 Things account. It was long overdue that I do that, and the fact that I couldn't close the account without blowing away all of my 43 Things posts and comments is just one of those things.

I think Erik's project is cool too. It is just the authentication part that scared me off.
 
Post a Comment
 
Construction Zone (Hard Hat Area) You are navigating Orcmid's Lair.

template created 2002-10-28-07:25 -0800 (pst) by orcmid
$$Author: Orcmid $
$$Date: 06-03-12 15:46 $
$$Revision: 20 $

Home