Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Federation To Solve Inconvenience Issues

Federation protocols and other single sign-on back-end standards could provide a missing piece to the authentication puzzle. These standards offer the technical framework to let people use a single set of credentials to log in to numerous sites without sharing their login credentials with all those sites.

Leading the way on this front is OAuth, the open standard that powers Facebook's third-party single sign-on service that lets a user log in to a huge number of consumer Internet sites using a Facebook login. It's also the protocol behind similar efforts at Twitter and Yahoo.

"The reason we created OAuth was so that you don't give your user name and password to a third party," says Bradley of Ping. If you're logging in by giving an application access to your Twitter account through OAuth, "the third-party site gets a token for accessing that user's authenticated identity but never actually gets your user name and password."

So while it doesn't solve the problem of strong authentication at the relying party that provides the initial authentication, it does allow for a much simpler user experience and shields the user's identity. People deal with fewer passwords and are less likely to reuse them. And it also gives you an HTML plane where you could insert a federated identity that depends on a stronger authentication factor, Bradley says.

Bradley is seeing a movement among the large providers he works with via the Open ID foundation to start accepting each other's federated logins to reduce the amount of fraud. Federated credentials let people choose strong credentials through a federated identity provider. This approach could sidestep concerns of users who want strong authentication and the convenience of a single sign-on process, without having to trust a social media provider such as Facebook with even more details about their lives.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
5 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.