> I'm going to have to argue in favor of > federated identity but to be clear only > for WS-Federation. This isn't a matter of technology though, you're missing the point. SSO as a concept is a good one, within the same security domain. Such as inside a cluster of applications from a single vendor. However, handing your auth over to facebook isn't the same thing at all. Martin...

Tangentially related to your argument and interesting reading none the less on how even very large companies can easily get things wrong. https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/ On Sun, Feb 24, 2013 at 7:14 PM, Martin O'Neal <martin.oneal@corsaire.com>wrote: > > > I'm going to have to argue in favor of > > federated identity but to be clear only > > for WS-Federation. > > This isn't a matter of technology though, you're missing the point. > > SSO as a concept is a good one, within the same security domain. Such as > inside a cluster of applications from a single vendor. > > However, handing your auth over to facebook isn't the same thing at all. > > > Martin... > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >