Keep in mind though that OAuth is an authorisation protocol - not an authentication protocol. Which is where OpenID connect comes in. Not really related to OpenID, but rather a supplement to OAuth to make it usable for authentication as well. Best regards Erlend Oftedal -----Original Message----- From: Greg Knaddison Sent: 15.10.2012 22:57 To: Paul Johnston Cc: websecurity@lists.webappsec.org Subject: Re: [WEB SECURITY] Social login / federated identity My personal thoughts in general and on specific providers * Federated logins can be much stronger. It's not likely that every site will implement things like two-factor authentication, anti-phishing mechanisms with images or even "basic" things like SSL. If a site's login is delegated to an identity provider who does provide those features (or optionally can provide them) then it might increase the security of a site. * Facebook (and some other social logins) can send a lot of additional information like networks of friends, likes, etc. If a site captures that information (which is optional, but possible) they can potentially create a very rich profile about a user and potentially use that to augment the risk profile they might get from other sources (e.g. a credit check). * I think most banks (or similar organizations) have a strong "not invented here" mentality and are unlikely to rely on a 3rd party identity provider, but I really wonder if there's any logic to that. I think it's probably a knee-jerk reaction that is perpetuated by industry-wide inertia/stagnation ("nobody else is doing it, we shouldn't either"). * OpenID seems to be falling in popularity, but the concepts it helped share seem relevant regardless. I only see OpenID on really techy sites and even those are hiding it or removing it more and more. OAuth seems to be increasingly popular and I believe that many identity providers (Facebook, Google) are using OAuth. Mozilla has created a relatively new system called Persona (formerly BrowserID) which they are working hard on as a new standard. I haven't seen much use of BrowserID outside of theoretical implementations. I'm not sure if they've officially stated this, but it appears that Persona will play a role in future versions of the Firefox browser tying identity across many sites to a browser session. Persona's login flow is definitely an improved UX from OpenID and even OAuth. Looking forward to hearing other's opinions. Regards, Greg On Mon, Oct 15, 2012 at 4:59 AM, Paul Johnston <paul.johnston@pentest.co.uk> wrote: > Hi, > > I am updating some training course material, and one of the areas I want > to cover is social login / federated identity. (I'm not sure which term > is more appropriate) > > The training course is targeted at developers. I want to give them the > knowledge to make decisions like: should we allow social login? what > technologies should we allow? what steps do we need to take to do this > securely? what inherent risks should we be aware of? > > Personally, I think that the vast majority of web sites should allow > social login. It's probably not appropriate for online banking, but > pretty much anything else is ok. > > I have some knowledge of OpenID and OAuth, but I am struggling to put > together a clear summary of the current state of the industry, and to > make clear recommendations. If someone could point me to some documents > - or even give an outline here - that would be very helpful. > > Many thanks, > > Paul > > -- > Pentest - When a tick in the box is not enough > > Paul Johnston - IT Security Consultant / Tiger SST > Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) > > Office: +44 (0) 161 233 0100 > Mobile: +44 (0) 7817 219 072 > > Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy > Registered Number: 4217114 England & Wales > Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I would add that while OAuth is designed as an authorization proto, it has been implemented (1.0a) by twitter for authn and authz for a few years now. Sent from my iPhone On Oct 15, 2012, at 5:51 PM, Erlend Oftedal <erlend@oftedal.no> wrote: > Keep in mind though that OAuth is an authorisation protocol - not an authentication protocol. Which is where OpenID connect comes in. Not really related to OpenID, but rather a supplement to OAuth to make it usable for authentication as well. > > Best regards > Erlend Oftedal > From: Greg Knaddison > Sent: 15.10.2012 22:57 > To: Paul Johnston > Cc: websecurity@lists.webappsec.org > Subject: Re: [WEB SECURITY] Social login / federated identity > > My personal thoughts in general and on specific providers > > * Federated logins can be much stronger. It's not likely that every > site will implement things like two-factor authentication, > anti-phishing mechanisms with images or even "basic" things like SSL. > If a site's login is delegated to an identity provider who does > provide those features (or optionally can provide them) then it might > increase the security of a site. > > * Facebook (and some other social logins) can send a lot of additional > information like networks of friends, likes, etc. If a site captures > that information (which is optional, but possible) they can > potentially create a very rich profile about a user and potentially > use that to augment the risk profile they might get from other sources > (e.g. a credit check). > > * I think most banks (or similar organizations) have a strong "not > invented here" mentality and are unlikely to rely on a 3rd party > identity provider, but I really wonder if there's any logic to that. I > think it's probably a knee-jerk reaction that is perpetuated by > industry-wide inertia/stagnation ("nobody else is doing it, we > shouldn't either"). > > * OpenID seems to be falling in popularity, but the concepts it helped > share seem relevant regardless. I only see OpenID on really techy > sites and even those are hiding it or removing it more and more. OAuth > seems to be increasingly popular and I believe that many identity > providers (Facebook, Google) are using OAuth. Mozilla has created a > relatively new system called Persona (formerly BrowserID) which they > are working hard on as a new standard. I haven't seen much use of > BrowserID outside of theoretical implementations. I'm not sure if > they've officially stated this, but it appears that Persona will play > a role in future versions of the Firefox browser tying identity across > many sites to a browser session. Persona's login flow is definitely an > improved UX from OpenID and even OAuth. > > Looking forward to hearing other's opinions. > > Regards, > Greg > > On Mon, Oct 15, 2012 at 4:59 AM, Paul Johnston > <paul.johnston@pentest.co.uk> wrote: > > Hi, > > > > I am updating some training course material, and one of the areas I want > > to cover is social login / federated identity. (I'm not sure which term > > is more appropriate) > > > > The training course is targeted at developers. I want to give them the > > knowledge to make decisions like: should we allow social login? what > > technologies should we allow? what steps do we need to take to do this > > securely? what inherent risks should we be aware of? > > > > Personally, I think that the vast majority of web sites should allow > > social login. It's probably not appropriate for online banking, but > > pretty much anything else is ok. > > > > I have some knowledge of OpenID and OAuth, but I am struggling to put > > together a clear summary of the current state of the industry, and to > > make clear recommendations. If someone could point me to some documents > > - or even give an outline here - that would be very helpful. > > > > Many thanks, > > > > Paul > > > > -- > > Pentest - When a tick in the box is not enough > > > > Paul Johnston - IT Security Consultant / Tiger SST > > Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) > > > > Office: +44 (0) 161 233 0100 > > Mobile: +44 (0) 7817 219 072 > > > > Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy > > Registered Number: 4217114 England & Wales > > Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK > > > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org