31 July 2009

Why Single Sign On Systems Are Bad

Wow, here's a really great article about identity management from, um, er, Microsoft. Actually, it's a rather remarkable Microsoft article, since it contains the following sentences:

On February 14, 2006, Microsoft Chairman Bill Gates declared that passwords would be gone where the dinosaurs rest in three to four years.

But as I write this in March 2009, it is pretty clear that Bill was wrong.

But it's not for that frisson that you should read it; it's for the following insight, which really needs hammering home:

The big challenge with respect to identity is not in designing an identity system that can provide SSO [Single Sign On], even though that is where most of the technical effort is going. It's not even in making the solution smoothly functioning and usable, where, unfortunately, less effort is going. The challenge is that users today have many identities. As I mentioned above, I have well over 100. On a daily basis, I use at least 20 or 25 of those. Perhaps users have too many identities, but I would not consider that a foregone conclusion.

The purist would now say that "SSO can fix that problem." However, I don't think it is a problem. At least it is not the big problem. I like having many identities. Having many identities means I can rest assured that the various services I use cannot correlate my information. I do not have to give my e-mail provider my stock broker identity, nor do I have to give my credit card company the identity I use at my favorite online shopping site. And only I know the identity I use for the photo sharing site. Having multiple identities allows me to keep my life, and my privacy, compartmentalized.

Yes yes yes yes yes. *This* is what the UK government simply does not want to accept: creating a single, all-powerful "proof" of identity is actually exactly the wrong thing to do. Once compromised, it is hugely dangerous. Moreover, it gives too much power to the provider of that infrastructure - which is precisely why the government *loves* it. (Via Ideal Government.)

Follow me @glynmoody on Twitter @glynmoody and identi.ca.


Anonymous said...

There are certainly a host of situations where anonymity should be preferred. But there are also times when it is most appropriate to have a single assured identity for online and offline activities. When dealing with the government or entities heavily regulated by the government, I never want to be mistaken for someone else nor do I want others to be able to pass as someone they are not. We have the technology to construct a system of assured identity based on cryptographic tokens with biometric verification with enough cross checking on the use of these tokens that identity can be fully trusted and any 'compromise' can be quickly corrected. The government is responsible for reliably identifying those who are subject to the authority thereof. Also realize that it is common for politicians to mandate that weaknesses be designed into any implementation that will reduce the level of assurance and trust. But it is better to have identity known to be untrustworthy than to have weak identity with the appearance of being trustworthy.

Several examples where trusted identity would be appropriate: drivers license, taxable accounts, employment, social security, welfare, law enforcement & judicial procedures, property ownership, credit reporting. There should be a legally defined list of entities that can require your government issued ID. Twitter should not be among them.

glyn moody said...

I agree we want all those things, but we need to do it in such a way that the government is unable to build a centralised database tracking our every move - which is precisely what the UK plans to do.

Anonymous said...

Some SSO systems have mechanisms in place to provide for anonymous but still assured access. Check SimpelSAMLphp and eduPersonTargetedID:
This system prevents "user-tracking" and user data correlation.

Also I'm very opposed to biometric data collection and biometric checks. Fingerprint readers work reliably only in Sci-Fi movies and in reality only enable really easy identity theft. You leave your fingerprints on everything you touch.

glyn moody said...

Thanks for the link; pity it's not in English... - I'll take you word for its content.

Peter said...

What do you think about OpenID, then? Isn't it the same kind of SSO systems, with the same dangers? Of course, you can choose which provider you trust, or use your own server. However, in practice the masses will probably go to a few well-known providers, giving them extremely much power. Could there be any third party reliable enough to manage the identities of millions of people?

glyn moody said...

@Peter: you're right, even OpenID, for all its virtues, has the danger that it holds consolidated information about people. I imagine it could be modified to hold that info in a distributed form, whereby no one OpenID provided had access to all of it - a kind of federated approach.