Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Federation To Solve Inconvenience Issues

Federation protocols and other single sign-on back-end standards could provide a missing piece to the authentication puzzle. These standards offer the technical framework to let people use a single set of credentials to log in to numerous sites without sharing their login credentials with all those sites.

Leading the way on this front is OAuth, the open standard that powers Facebook's third-party single sign-on service that lets a user log in to a huge number of consumer Internet sites using a Facebook login. It's also the protocol behind similar efforts at Twitter and Yahoo.

"The reason we created OAuth was so that you don't give your user name and password to a third party," says Bradley of Ping. If you're logging in by giving an application access to your Twitter account through OAuth, "the third-party site gets a token for accessing that user's authenticated identity but never actually gets your user name and password."

So while it doesn't solve the problem of strong authentication at the relying party that provides the initial authentication, it does allow for a much simpler user experience and shields the user's identity. People deal with fewer passwords and are less likely to reuse them. And it also gives you an HTML plane where you could insert a federated identity that depends on a stronger authentication factor, Bradley says.

Bradley is seeing a movement among the large providers he works with via the Open ID foundation to start accepting each other's federated logins to reduce the amount of fraud. Federated credentials let people choose strong credentials through a federated identity provider. This approach could sidestep concerns of users who want strong authentication and the convenience of a single sign-on process, without having to trust a social media provider such as Facebook with even more details about their lives.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
5 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
froggywentacourtin
50%
50%
froggywentacourtin,
User Rank: Apprentice
8/8/2014 | 1:16:29 AM
re: The Future Of Web Authentication
 

Macker,

You are so VERY correct.  The last thing I want is some sort of universal identifier that all of these sleazeball companies and government agencies can use to map every aspect of my life.

 

I use separate email/user names and unique highly secure passwords with every site I use.  If slack IT people and less then bright CEOs would get their act together, that would suffice.

 

How did the Russians collect over 1 billion user names and passwords?  SQL injection?  Who dropped the ball there?  Why is SQL injection still possible on any real web site?

 

Once again, they want to punt the problem over to the consumer.  After all, they hate this whole idea of personal privacy, so why not use their ineptness to justify stripping away the last vestiges of it?

TOR won't help much if we all have to have our government issued smart card plugged in to log on.  And of course. no one will EVER figure out a way to compromise the shiny new "solution to everything".

 

Oh well. got to go polish my tinfoil hat...
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.