Archives


Atom Feed

Associated Blogs
 
Edge City
 
Numbering Peano
 
Praxis101
 
Prof. von Clueless in the Blunder Dome

Recent Items
 
Shared Identity Surprises - How Not To Do Single Sign-On
 
Congratulations ODF, OSI Draft International Standard 26300
 
Weight Loss and the Cravings
 
Party on the 10 island! Aftermath
 
Party on the 10 island!
 
Tom Clancy's Jack Ryan Novels
 
Serious Camp Fu 2.0
 
Happy Birthday, Ted
 
We have a great future behind us
 
DRM as Destroyer of Markets

Shared Identity Surprises - How Not To Do Single Sign-On

Morale-O-Meter.  Boris Mann left an interesting comment at my post on Weight Loss and the Cravings.  Looking at the Morale-O-Meter, I thought it would be useful to track my own caffeine reduction, sleep patterns, and general well-being using that gadget.  It would be something more concrete than the even-more-subjective notes I share with my vitality buddy.  I’m willing to ignore the problem of putting apples, oranges, and morale metrics(?) on the same chart, since my interest is personal and normalized metrics don’t matter to me.  I can handle the need for interpretation — it’s my personal data.  It was something else that stopped me in my tracks.

{tags: Identity Stealthy Sign-On Sign-On Sharing SSO IIW2006 orcmid}

The Morale-O-Meter site (http://morale.erikbenson.com/) accepts my 43 Things (http://www.43things.com/) logon.  What’s with that, and who gave them permission to share my sign-on with a different site?

It is not difficult to determine that Erik Benson is affiliated with the 43 Things team.  But Morale-O-Meter is not offered as a 43 Things service.  I certainly was never aware that my chosen 43 Things sign-on would be shared with other sites.  

I choose unique passwords for different sign-ons, so there is not much that can be compromised here — I am an inactive 43 Things participant.  It’s also the case that if I had been using a 1.5–factor password generator (that uses the site’s domain name plus a secret that never leaves my possession to generate site-specific passwords), I would not know my 43 Things password nor could I reconstruct it for logging onto Erik Benson’s site.  Based on conversations at IIW2006, this technique of generating unique passwords based on a private secret is going to become very popular along with Microsoft InfoCards, Higgins, and other 2.0–fu digital-identity regimes.

It may be that my participation in the just-concluded Internet Identity Workshop 2006 (now IIW2006a) has sensitized me to these situations.  I’d like to think that my inappropriate-use-of-authenticators radar would have screeched either way.  In any case, I decided to dig in and see what I could do to resist this encroachment on an identification that I thought to be strongly localized. 

I pop over to 43 Things to see what I can do to cripple my account.  Surprise, surprise: My last five posts to Flickr are sitting in the sidebar of my profile page.  Holy smokes!  I’ve only used Flickr for less than two weeks and I last used 43 Things so long ago that my Media Center PC (purchased in September) has no cookie for it.  I remember when the 43 Things crew was excited to have created some kind of Flickr association, but I had no reason to pay attention back then.  Now I’m startled that they have matched my Flickr posts to my 43 Things account.

Fortunately, there is a “Close My Account” link on 43 Things, and I just went through the procedure.  I got an “Oops, That Didn’t Work …” page at the end, but my account is indeed closed (that is, I can’t log in any longer and I can’t find my previous user-profile page).  I had to be willing to blow away all of my posts and links on 43 Things.  I also missed the opportunity to see if a 43 Things cookie would have gotten onto Erik Benson’s site without having to re-authenticate.  Too late now.  So be it.

This is not the first time I have been derailed by sign-on sharing.  I use MSDN blogs and sites a great deal, and I am always a little startled when my particulars are remembered on comment forms where I don’t recall ever commenting before.   I figure this is about cookies (with a little Microsoft Passport seasoning) and I don’t mind it, since it is for a narrow usage.

On the other hand, I didn’t realize that different blogging systems also do this.  There, I thought I was creating a weak authenticated identification by registering to an individual blog.  I did not think of myself as creating a shared identification with neither the blog hosting company nor the blogging-software company.  These are cookie-based arrangements too, and I’m willing to accept that convenience since there is no secret involved and it provides consistent identity.  The risk of having my blog visitation and commenting patterns tracked is not of great concern to me in this particular context.

[There are other uses of cookies that I am quite irritated about.  Same technology but different use cases, and I’ll rant about that another time.]