Hi,
I am updating some training course material, and one of the areas I want
to cover is social login / federated identity. (I'm not sure which term
is more appropriate)
The training course is targeted at developers. I want to give them the
knowledge to make decisions like: should we allow social login? what
technologies should we allow? what steps do we need to take to do this
securely? what inherent risks should we be aware of?
Personally, I think that the vast majority of web sites should allow
social login. It's probably not appropriate for online banking, but
pretty much anything else is ok.
I have some knowledge of OpenID and OAuth, but I am struggling to put
together a clear summary of the current state of the industry, and to
make clear recommendations. If someone could point me to some documents
Many thanks,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
My personal thoughts in general and on specific providers
Federated logins can be much stronger. It's not likely that every
site will implement things like two-factor authentication,
anti-phishing mechanisms with images or even "basic" things like SSL.
If a site's login is delegated to an identity provider who does
provide those features (or optionally can provide them) then it might
increase the security of a site.
Facebook (and some other social logins) can send a lot of additional
information like networks of friends, likes, etc. If a site captures
that information (which is optional, but possible) they can
potentially create a very rich profile about a user and potentially
use that to augment the risk profile they might get from other sources
(e.g. a credit check).
I think most banks (or similar organizations) have a strong "not
invented here" mentality and are unlikely to rely on a 3rd party
identity provider, but I really wonder if there's any logic to that. I
think it's probably a knee-jerk reaction that is perpetuated by
industry-wide inertia/stagnation ("nobody else is doing it, we
shouldn't either").
OpenID seems to be falling in popularity, but the concepts it helped
share seem relevant regardless. I only see OpenID on really techy
sites and even those are hiding it or removing it more and more. OAuth
seems to be increasingly popular and I believe that many identity
providers (Facebook, Google) are using OAuth. Mozilla has created a
relatively new system called Persona (formerly BrowserID) which they
are working hard on as a new standard. I haven't seen much use of
BrowserID outside of theoretical implementations. I'm not sure if
they've officially stated this, but it appears that Persona will play
a role in future versions of the Firefox browser tying identity across
many sites to a browser session. Persona's login flow is definitely an
improved UX from OpenID and even OAuth.
Looking forward to hearing other's opinions.
Regards,
Greg
On Mon, Oct 15, 2012 at 4:59 AM, Paul Johnston
paul.johnston@pentest.co.uk wrote:
Hi,
I am updating some training course material, and one of the areas I want
to cover is social login / federated identity. (I'm not sure which term
is more appropriate)
The training course is targeted at developers. I want to give them the
knowledge to make decisions like: should we allow social login? what
technologies should we allow? what steps do we need to take to do this
securely? what inherent risks should we be aware of?
Personally, I think that the vast majority of web sites should allow
social login. It's probably not appropriate for online banking, but
pretty much anything else is ok.
I have some knowledge of OpenID and OAuth, but I am struggling to put
together a clear summary of the current state of the industry, and to
make clear recommendations. If someone could point me to some documents
Many thanks,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Paul
This paper comes to mind:
http://www.doc.ic.ac.uk/~maffeis/csf12.pdf
Colin
----- Original Message -----
From: Paul Johnston
[mailto:paul.johnston@pentest.co.uk]
To:
websecurity@lists.webappsec.org
Sent: Mon, 15 Oct 2012 11:59:07
+0100
Subject: [WEB SECURITY] Social login / federated identity
Hi,
I am updating some training course material, and one of the areas I want
to cover is social login / federated identity. (I'm not sure which term
is more appropriate)
The training course is targeted at developers. I want to give them the
knowledge to make decisions like: should we allow social login? what
technologies should we allow? what steps do we need to take to do this
securely? what inherent risks should we be aware of?
Personally, I think that the vast majority of web sites should allow
social login. It's probably not appropriate for online banking, but
pretty much anything else is ok.
I have some knowledge of OpenID and OAuth, but I am struggling to put
together a clear summary of the current state of the industry, and to
make clear recommendations. If someone could point me to some documents
Many thanks,
Paul
https://groups.google.com/forum/?fromgroups#!forum/oauth
http://oauth.net/2/
http://tools.ietf.org/html/rfc5849
http://hueniverse.com/
https://groups.google.com/forum/?fromgroups#!forum/openid
http://wiki.openid.net/
http://openid.net/specs/openid-authentication-2_0.html
http://openid.net/connect/
FYI: OpenID is basically extinct.
On Mon, Oct 15, 2012 at 6:59 AM, Paul Johnston
paul.johnston@pentest.co.uk wrote:
Hi,
I am updating some training course material, and one of the areas I want
to cover is social login / federated identity. (I'm not sure which term
is more appropriate)
The training course is targeted at developers. I want to give them the
knowledge to make decisions like: should we allow social login? what
technologies should we allow? what steps do we need to take to do this
securely? what inherent risks should we be aware of?
Personally, I think that the vast majority of web sites should allow
social login. It's probably not appropriate for online banking, but
pretty much anything else is ok.
I have some knowledge of OpenID and OAuth, but I am struggling to put
together a clear summary of the current state of the industry, and to
make clear recommendations. If someone could point me to some documents
Many thanks,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Thank you,
Darren Bounds
Hi,
Thanks for the links (and the others that responded). I was aware of
most of these, but I'm still struggling to get a high-level summary with
clear recommendations.
I realise there's a lot of opinions about where cross-organisation SSO
is a good idea at all. I don't want to get too far into this, as I won't
be making the decision - rather enabling the course attendees to do
this. (Martin - I'll reply to you by private mail)
The current state of play seems to be that you support specific identify
providers (Facebook, Google, LiveID, etc.) You have to a bit of work for
each identity provider you want to use - they all have different
interfaces. There are some libraries to help with this (e.g.
django-social-auth) but support across languages is patchy (is there a
Java equivalent?). You typically need to register your app with the
identity provider. So, just making social login work is a fair problem
in itself, nevermind the security issues. And there's follow-on issues
like, if someone signs up using their Facebook account, can they later
link their Google account to the same account on your site?
There are some hosted services (JanRain being the best known) that help
with this. I wonder if, considering the patchy state of open source
libraries, that the best current advice is to use a commercial service?
I'm not sure how fair the comments that "OpenID is dead" are. There are
some patterns that OpenID supports better than OAuth. For example, an
organisation may have their own OpenID server to give employees an
OpenID identity on the internet. They can use these to sign in to cloud
services used at work. Potentially, you could even have the cloud
service say "users on xyz company must have an OpenID like
http://xyz/..." - and this would resolve a lot of the issues resolving
enterprise access control out in the cloud. I'm not sure if this is a
common pattern right now though?
Then there are technologies like OpenSSO and SAML that seem to be more
aimed to SSO within an organisation. E.g. user signs up for acme corp
account and can then access ticket system, download area, etc. with just
one account. What is the state of the art here?
I think Mozilla Persona is something I can only mention as "be aware of
this, it may get big in future". There are some other offbeat ideas,
such as browser-based SRP, which would (theoretically at least) allow
you to securely use the same password across multiple sites.
Any more input welcomed,
Paul
On 15/10/2012 20:51, Darren Bounds wrote:
https://groups.google.com/forum/?fromgroups#!forum/oauth
http://oauth.net/2/
http://tools.ietf.org/html/rfc5849
http://hueniverse.com/
https://groups.google.com/forum/?fromgroups#!forum/openid
http://wiki.openid.net/
http://openid.net/specs/openid-authentication-2_0.html
http://openid.net/connect/
FYI: OpenID is basically extinct.
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The current state of play seems to be that you support specific identify
providers (Facebook, Google, LiveID, etc.) You have to a bit of work for
each identity provider you want to use - they all have different
interfaces.
This is the "We Are The 900 Pound Gorilla" (do it our way) non-protocol. :-(
Then there are technologies like OpenSSO and SAML that seem to be more
aimed to SSO within an organisation. E.g. user signs up for acme corp
account and can then access ticket system, download area, etc. with just
one account. What is the state of the art here?
SAML can be used for WebSSO within an organization, but its real value
is as a cross-organization protocol for distributed SSO. In a SAML-based
federation, everyone is using a common, standardized protocol, not a
bunch of one-off gimmicks.
(A "federation" isn't a just software construct, it is an organization
that collects information to identify the organizational member
entities. For example "InCommon")
https://developers.google.com/google-apps/sso/saml_reference_implementation
On Tue, Oct 16, 2012 at 1:28 PM, Albert Lunde atlunde@panix.com wrote:
The current state of play seems to be that you support specific identify
providers (Facebook, Google, LiveID, etc.) You have to a bit of work for
each identity provider you want to use - they all have different
interfaces.
This is the "We Are The 900 Pound Gorilla" (do it our way) non-protocol. :-(
Then there are technologies like OpenSSO and SAML that seem to be more
aimed to SSO within an organisation. E.g. user signs up for acme corp
account and can then access ticket system, download area, etc. with just
one account. What is the state of the art here?
SAML can be used for WebSSO within an organization, but its real value is as
a cross-organization protocol for distributed SSO. In a SAML-based
federation, everyone is using a common, standardized protocol, not a bunch
of one-off gimmicks.
(A "federation" isn't a just software construct, it is an organization that
collects information to identify the organizational member entities. For
example "InCommon")
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org