Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Federation To Solve Inconvenience Issues

Federation protocols and other single sign-on back-end standards could provide a missing piece to the authentication puzzle. These standards offer the technical framework to let people use a single set of credentials to log in to numerous sites without sharing their login credentials with all those sites.

Leading the way on this front is OAuth, the open standard that powers Facebook's third-party single sign-on service that lets a user log in to a huge number of consumer Internet sites using a Facebook login. It's also the protocol behind similar efforts at Twitter and Yahoo.

"The reason we created OAuth was so that you don't give your user name and password to a third party," says Bradley of Ping. If you're logging in by giving an application access to your Twitter account through OAuth, "the third-party site gets a token for accessing that user's authenticated identity but never actually gets your user name and password."

So while it doesn't solve the problem of strong authentication at the relying party that provides the initial authentication, it does allow for a much simpler user experience and shields the user's identity. People deal with fewer passwords and are less likely to reuse them. And it also gives you an HTML plane where you could insert a federated identity that depends on a stronger authentication factor, Bradley says.

Bradley is seeing a movement among the large providers he works with via the Open ID foundation to start accepting each other's federated logins to reduce the amount of fraud. Federated credentials let people choose strong credentials through a federated identity provider. This approach could sidestep concerns of users who want strong authentication and the convenience of a single sign-on process, without having to trust a social media provider such as Facebook with even more details about their lives.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
5 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
froggywentacourtin
50%
50%
froggywentacourtin,
User Rank: Apprentice
8/8/2014 | 1:16:29 AM
re: The Future Of Web Authentication
 

Macker,

You are so VERY correct.  The last thing I want is some sort of universal identifier that all of these sleazeball companies and government agencies can use to map every aspect of my life.

 

I use separate email/user names and unique highly secure passwords with every site I use.  If slack IT people and less then bright CEOs would get their act together, that would suffice.

 

How did the Russians collect over 1 billion user names and passwords?  SQL injection?  Who dropped the ball there?  Why is SQL injection still possible on any real web site?

 

Once again, they want to punt the problem over to the consumer.  After all, they hate this whole idea of personal privacy, so why not use their ineptness to justify stripping away the last vestiges of it?

TOR won't help much if we all have to have our government issued smart card plugged in to log on.  And of course. no one will EVER figure out a way to compromise the shiny new "solution to everything".

 

Oh well. got to go polish my tinfoil hat...
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.