Links
Tags
apache
armenia
books
bsd
c
c++
chips
cinema
concurrency
cooking
database
dragonfly
erlang
filesystem
freebsd
fun
hardware
java
javascript
json
languages
linux
lyric
mac_osx
mail
math
misc
music
personal
poems
presentation
programming
python
references
ruby
rubyjs
scm
software
spiking_neural_net
study
sysadm
sysarch
technology
testing
travel
virtualization
web
wee
windows
OpenID is a single sign on system in use today, gaining popularity. Of course users should take care not to get phished, as you can read here. I don't think it's much of a problem...
I've been thinking about sign-on systems for some time. My approach is to reuse existing systems like email for authentification purposes. This is already widely used to confirm signups. You all know those confirmation mails containing a special link to click to confirm that you signed up. Given that you have an email application available, it's very easy to provide single-sign on. Of course phishing is also an issue here, but could be solved for example using PGP signed messages (requires support in the Email application).
When you want to design a sing-on system, there are many things to consider. For example, whether the user uses a machine that belongs to him or herself. If for example I use my own computer to log-in to a page, I could use client-certificates for SSL authentification. I think most browsers support this. But no user knows about this, and I think there are no web-applications that make use of it. But it would be the most secure and best solution, as you'd see the certificates of the server and have to trust them and it would automatically imply that all traffic is encrypted.
But what if you want to sign-in from an untrusted computer, e.g. from an internet cafe? At first, you will not have your certificate with you, second, the computer could be compromised (key-logger etc.). So you'd not want to type in a password anyway, except if that password will ever be used once, like those "passwords" you know from the TAN list for online-banking. One time passwords can be for example used to login to a FreeBSD system.
So if you consider logging in from an untrusted computer, a sign-in system should also give the ability to specify a one-time password.
In short, I'd suggest:
- For your home computer: transparent authentification using a client-side certificate + client-side master keyword
- Trusted computer with Email access: Email-based authentification
- Untrusted computers: One time passwords