I stumbled accros some CRYPTOCard promotion today and I really thought it was worth a quick post. The concept of single sign-in is a tough one. It really makes sense from a consumer point of view, but it’s bad from a security perspective, although most people don’t really get why. I have a long history with authentication systems so this one is one that is probably worth discussing.
When I attempted to launch a consumer product that enabled single sign-on at one point the first people we went to talk to were banks. It makes sense, the people who have the most to loose and are willing to sacrifice some usability for security are the people who have to insure your money. So we went and talked with them and they said that they were unwilling to enable single sign-on because they felt that someone would hack into the back end and steal whatever underlying technology required to get access to other accounts.
Right sentiment - wrong security hole.
The problem isn’t that the backend is insecure. Even though 70% of hacks are internal, I’m much more concerned about what can be done from the outside. You can mitigate internal risks by proper access controlls (the same kind the banks use with vaults with keys in them, blah blah). The problem is really on the front end.
The peril in single sign-on is that the least common denominator dictactes a large portion of the security for all members of the authentication network. Sure you can mitigate certain risks by using session tokens, but anything that would have been protected by a tiered authentication model now dissapears. Not a good situation to find yourself in if you are company-b.com.