Keep in mind though that OAuth is an authorisation protocol - not an authentication protocol. Which is where OpenID connect comes in. Not really related to OpenID, but rather a supplement to OAuth to make it usable for authentication as well.
Best regards
Erlend Oftedal
-----Original Message-----
From: Greg Knaddison
Sent: 15.10.2012 22:57
To: Paul Johnston
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Social login / federated identity
My personal thoughts in general and on specific providers
Federated logins can be much stronger. It's not likely that every
site will implement things like two-factor authentication,
anti-phishing mechanisms with images or even "basic" things like SSL.
If a site's login is delegated to an identity provider who does
provide those features (or optionally can provide them) then it might
increase the security of a site.
Facebook (and some other social logins) can send a lot of additional
information like networks of friends, likes, etc. If a site captures
that information (which is optional, but possible) they can
potentially create a very rich profile about a user and potentially
use that to augment the risk profile they might get from other sources
(e.g. a credit check).
I think most banks (or similar organizations) have a strong "not
invented here" mentality and are unlikely to rely on a 3rd party
identity provider, but I really wonder if there's any logic to that. I
think it's probably a knee-jerk reaction that is perpetuated by
industry-wide inertia/stagnation ("nobody else is doing it, we
shouldn't either").
OpenID seems to be falling in popularity, but the concepts it helped
share seem relevant regardless. I only see OpenID on really techy
sites and even those are hiding it or removing it more and more. OAuth
seems to be increasingly popular and I believe that many identity
providers (Facebook, Google) are using OAuth. Mozilla has created a
relatively new system called Persona (formerly BrowserID) which they
are working hard on as a new standard. I haven't seen much use of
BrowserID outside of theoretical implementations. I'm not sure if
they've officially stated this, but it appears that Persona will play
a role in future versions of the Firefox browser tying identity across
many sites to a browser session. Persona's login flow is definitely an
improved UX from OpenID and even OAuth.
Looking forward to hearing other's opinions.
Regards,
Greg
On Mon, Oct 15, 2012 at 4:59 AM, Paul Johnston
paul.johnston@pentest.co.uk wrote:
Hi,
I am updating some training course material, and one of the areas I want
to cover is social login / federated identity. (I'm not sure which term
is more appropriate)
The training course is targeted at developers. I want to give them the
knowledge to make decisions like: should we allow social login? what
technologies should we allow? what steps do we need to take to do this
securely? what inherent risks should we be aware of?
Personally, I think that the vast majority of web sites should allow
social login. It's probably not appropriate for online banking, but
pretty much anything else is ok.
I have some knowledge of OpenID and OAuth, but I am struggling to put
together a clear summary of the current state of the industry, and to
make clear recommendations. If someone could point me to some documents
Many thanks,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I would add that while OAuth is designed as an authorization proto, it has been implemented (1.0a) by twitter for authn and authz for a few years now.
Sent from my iPhone
On Oct 15, 2012, at 5:51 PM, Erlend Oftedal erlend@oftedal.no wrote:
Keep in mind though that OAuth is an authorisation protocol - not an authentication protocol. Which is where OpenID connect comes in. Not really related to OpenID, but rather a supplement to OAuth to make it usable for authentication as well.
Best regards
Erlend Oftedal
From: Greg Knaddison
Sent: 15.10.2012 22:57
To: Paul Johnston
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Social login / federated identity
My personal thoughts in general and on specific providers
Federated logins can be much stronger. It's not likely that every
site will implement things like two-factor authentication,
anti-phishing mechanisms with images or even "basic" things like SSL.
If a site's login is delegated to an identity provider who does
provide those features (or optionally can provide them) then it might
increase the security of a site.
Facebook (and some other social logins) can send a lot of additional
information like networks of friends, likes, etc. If a site captures
that information (which is optional, but possible) they can
potentially create a very rich profile about a user and potentially
use that to augment the risk profile they might get from other sources
(e.g. a credit check).
I think most banks (or similar organizations) have a strong "not
invented here" mentality and are unlikely to rely on a 3rd party
identity provider, but I really wonder if there's any logic to that. I
think it's probably a knee-jerk reaction that is perpetuated by
industry-wide inertia/stagnation ("nobody else is doing it, we
shouldn't either").
OpenID seems to be falling in popularity, but the concepts it helped
share seem relevant regardless. I only see OpenID on really techy
sites and even those are hiding it or removing it more and more. OAuth
seems to be increasingly popular and I believe that many identity
providers (Facebook, Google) are using OAuth. Mozilla has created a
relatively new system called Persona (formerly BrowserID) which they
are working hard on as a new standard. I haven't seen much use of
BrowserID outside of theoretical implementations. I'm not sure if
they've officially stated this, but it appears that Persona will play
a role in future versions of the Firefox browser tying identity across
many sites to a browser session. Persona's login flow is definitely an
improved UX from OpenID and even OAuth.
Looking forward to hearing other's opinions.
Regards,
Greg
On Mon, Oct 15, 2012 at 4:59 AM, Paul Johnston
paul.johnston@pentest.co.uk wrote:
Hi,
I am updating some training course material, and one of the areas I want
to cover is social login / federated identity. (I'm not sure which term
is more appropriate)
The training course is targeted at developers. I want to give them the
knowledge to make decisions like: should we allow social login? what
technologies should we allow? what steps do we need to take to do this
securely? what inherent risks should we be aware of?
Personally, I think that the vast majority of web sites should allow
social login. It's probably not appropriate for online banking, but
pretty much anything else is ok.
I have some knowledge of OpenID and OAuth, but I am struggling to put
together a clear summary of the current state of the industry, and to
make clear recommendations. If someone could point me to some documents
Many thanks,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org