[WEB SECURITY] Social login / federated identity

Evan Larsen evan.larsen at gmail.com
Sun Feb 24 17:59:15 EST 2013


I'm going to have to argue in favor of federated identity but to be
clear only for WS-Federation.

Personally I think OAuth and OpenID are good for situations where you
don't need top notch security and there are many scenarios this is
valid.  Like blogs that need authentication to leave a comment or
maybe some picture sharing service because its non-critical
information.

I don't think it's fair to say SSO is bad because that means your
rolling WS-Federation in w/ OAuth and OpenID.  Since the implentations
are much different. WS-Federation is more secure than the formers.

Federated Identity, using ws-federation, is good in enterprises
because it takes the responsibility of handling authentication out of
every single application and centralizes it. Frees individual
developers from the challenges of having to understand how to
implement authentication.



On Sun, Feb 24, 2013 at 5:02 PM, Martin O'Neal
<martin.oneal at corsaire.com> wrote:
>
> Haha, what is it you do for a living? Because you're not getting this
> security stuff. ;)
>
>> By the same argument, Firefox has had a security vulnerability
>
> No no no. And no. All software has flaws. It's a given. Stupid argument.
>
>
> This is a fundamental choice of paradigm, not product selection. It's
> the equivalent of the difference between client-side or server-side data
> storage.
>
>
>> Yes, you did "tell me so", but I don't much care for your
>> negative opinion.
>
> Yes officer, I could see the stop sign but I didn't much care for its
> negative connotations. ;)
>
>
>> I think using social login is a prudent risk for most
>> websites - not online banking, sure, but most websites.
>
> Obviously I disagree.
>
> The logic of it is this; if you don't care, then you don't need to
> authenticate at all. If you do care, then do it properly.
>
> Most frameworks have it built in. Clickity-click. Oh look.
> Authentication enabled. No exposure to a third-party.
>
> And in case you haven't worked it out, social logins like facebook
> aren't there to increase your security. They're there to profile your
> internet usage, so that they can analyse you even when you're not using
> their own site, and then they can sell you on to their real customers.
> What possible reason would you have to recommend helping such a thing?
>
>
> Martin...
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list