[WEB SECURITY] Social login / federated identity
evan.larsen at gmail.com
Fri Feb 22 18:00:17 EST 2013
IMO this breach of their SSO is Facebook's implementation of OAUTH.
SSO using WS-Federation is a true SSO solution for an enterprise.
I wouldn't expect a bank to use OAuth to secure their services but
WS-Federation definitely could.
On Fri, Feb 22, 2013 at 3:35 AM, Martin O'Neal
<martin.oneal at corsaire.com> wrote:
> "I told you so", just doesn't seem to do it justice...
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf Of Martin O'Neal
> Sent: 16 October 2012 11:01
> To: Paul Johnston
> Cc: websecurity at lists.webappsec.org
> Subject: Re: [WEB SECURITY] Social login / federated identity
>> I think this is a complete misunderstanding on your part
> No, but it is a complete assumption on your part. ;)
> SSO within a cluster of services, with a common owner etc makes perfect
> sense. Who wants to have multiple accounts across a number of products
> with a single vendor for example? (you know who you are!)
> SSO across dissimilar platforms, different vendors etc simply trades
> convenience for your security and privacy.
> In a perfect world, your SSO provider would be entirely independent,
> host all their auth in a bullet-proof system, and for the price of a few
> API calls, life would be peachy. As it is though, it's not. Facebook for
> example have their own problems in keeping their auth data secure, so
> tying yourself into their systems adds a whole world of additional risk
> to your site. And in the event of it all going pear-shaped, there isn't
> a lot you can do to fix the situation, without exiting the SSO.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity