Single Sign On And Security.

Publicated on : 1177666382
The single sign on is something that a lot of developers use without even knowing that it is called this way. Google uses it a lot in there Google account where you can login into Google and have access to multiple services. Another explanation of a single sign on is that you can only access a page after singing and thereby authenticating yourself.

Authentication is a big problem, always have always will. Not only offline in the real world, but also online. It's hard to tell if you are who you say you are. How can you prove it? there are ways that can be deployed. Google, eBay & PayPal and others use payment verification techniques. Where they send a small random amount of money to your bank account. Next, you have to authenticate on their website and typing over the exact amount of money in order to go on. This works great, and is a good solution against massive fraud. Not full proof of coarse, but it's hard to fool. But, when developing normal web application you can't just ask for someones bank account, so a single sign on can mean a lot here. The idea is fairly simple: register to this website in order to post comments, have access to things etcetera. It's a form of captcha actually.

A single sign on is also cookie based authentication. I always warn against such form of authentication because it is prone to CSRF and other security issues. But, and this is always crucial; you have to determine the real threat. If no personal data is kept, I think that cookie based authentication is a good form. it's quick, easy and practical. The real problems arise when the single sign on is used to have access for multiple services. Just like Google does, because you only have 2 credentials the login name which is always your email address. If I know someone it's fairly easy to know their email address, I could just ask :) So I only have to guess their password in order to access their private data. So what can we access if we managed to obtain the password only?

- Google GMail
- Google Adwords
- Google Adsense (which I showed is vulnerable to CSRF)
- Google Analytics
- Google Spreadsheet
- Google etc.

One can sign on into all of them with only a password. Now obviously this is a very weak form of security. We know that people use simple passwords often because they can't remember large and complex password combinations. Statistics show that the top 3 of most common passwords still are:

- password
- qwerty
- abc123

If we can't guess it in 3 tries we can try to figure out more about this person and try combinations of it. Or we can just ask :) Like in a sneaky way: "If you where to choose a password, how would you choose it?" Maybe they'll say: I'll choose a 7 character one with my pet's name in it and my birthday. Okay, not likely that someone will say that, but who knows.

The thing here is that we can access a lot of data which will make it worth to try. if all services had a different sign on, it would not be cost effective to even try. Because I can access over 7 different services with only guessing the password with a fairly high chance of doing so, shows that this security scheme is flawed. It's is the same as protecting all your passwords with one password. Okay who doesn't? even a lot of security researchers store their password encrypted with one password. Even security guru Bruce Schneier does it. Pretty useless if you think about it deeply, isn't it?

Security is tough.