Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year. Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" technology …
Old idea googlefied
You mean like a Windows Live ID or a Microsoft Passport. This idea has been going for yonks.
Microsoft ahead of Google for once?
GMail Spambots Receive New Lease of Life
From the linked google page:
"The website can also mark the email address as verified without having to send a traditional "email verification" link to the user."
In other words, accounts already compromised are given extra freedom with minimal effort from their script kiddie owners.
You know how we're always told to use different passwords for different sites, etc? Doesn't the whole one login thing mean that not only are we using the same password for every site, but also the same user name.
Easier to change I suppose.
You should use different password on different sites to stop one site's compromise giving access to all other sites.
OpenID and equivalents remove the password - the sites no longer have it.
Of course, if your OpenID site is compromised, you're fucked.
Only once password to compromise
So we're now encouraged to have one set of credentials for the whole internet, what fun.
That means that if it's compromised my whole internet life is over. Just go to my OAuth host site, check out my "authorised" sites, then pretend to be me across the whole internet with ease... Then you can sign up for new services for me as well (an not even worry about being slowed down by having to authorise my email address)... then you can use my PayPal (OAuth as well of course...) and spend my money....
Just wait until SuperBankUK gets onboard... then you can get my salary before me... Whoo!
I can't wait!
@ Anonymous Coward #1
Yeah, but unlike MS passport, it probably works. Heck, I stopped using XBox Gold when MS passport wouldn't accept my gmail.com email address. That particular incident was too funny for words.
Compromise one password and you get everything at once!
One passwod to find them
and in the darkness root* them.
*now now children, I mean in the IT-security sense.
So what's changed?
This is like DejaVu all over again - Microsoft created Wallet/Passport/Live ID for much the same purpose. It's widely used by Microsoft sites, but hasn'treally taken off with other sites, probably because other sites don't really trust Microsoft with shared personal data like this.
This system may improve usability (less form filling/less emails to confirm email addresses/less passwords/usernames to remember but I cannot see how it will address the security concerns outlined in the article. Indeed, it could even make them worse.
The problem is, at the article noted, passwords. This system doesn't remove the need for a password.
If it is possible to work out someone's weak password, then use the same for other accounts, then this system is even worse.
Not only does it guarantee the user name will always be the same as well as the password (currently, usernames can vary from site to site) it also gives you the chance of trying multiple accounts. One of the screen shots in the 'hybrid onboarding' link shows and example site where you have the choice of using the site's native account, or an OpenID or a YahooID or a Google ID or a ClickPass ID. That's up to 5 chances to get the username/password correct, not just one.
Back to the drawing board, Google! Even Paris would see these flaws!