Feeds

back to article Mozilla links Gmail with Persona for email-based single sign-on

The Mozilla Foundation has unveiled a new Identity Bridge that links its Persona single sign-on technology with Gmail, allowing all Gmail users to log in to Persona-enabled sites without entering a username or password. Persona works by having users register their email addresses with a server called a Persona Identity Provider …

COMMENTS

This topic is closed for new posts.
Silver badge
Thumb Down

Single login?

Am I the only one who thinks this whole 'single login' thing is a really, really bad idea? Hack once, rifle through many different accounts.

I'll stick to different passwords for every site, and very different ones for anything financial.

8
1
Bronze badge

Re: Single login?

I see both up- and downsides to this. The downside is as you already described, the single point of failure. The upside is that if somebody figures out your password, it is easily changed at a single place. Many people use a single password for everything and do not even remember all the sites they have an account at, leaving them vulnerable to attack.

1
0
Black Helicopters

Re: Single login?

A possible issue with the idea of using a different password for each website is, that if your email gets broken into, most websites will allow a password reset, so the baddies will get access to all of them anyway. In effect you have the same single point of failure as you do with persona.

Unless of course you have a different email account for each website....

But what happens if you reset them email account passwords.... ahhhh pop.

Non-password authentication will always win security wise for a number of reasons, so now I just have to wait for el reg to get sorted with it :)

1
0
Silver badge
Thumb Up

@Pen-y-gors - Re: Single login?

You're not the only one. SSO without some form of additional token/biometric check just seems like asking for trouble.

1
0
Silver badge
Stop

Re: @Pen-y-gors - Single login?

Er, Persona uses certificates. You can only sign on from the browsers which have your certificates installed.

0
0
Silver badge

@Dan 55 - Certificates

Good point - it isn't as weak a solution as I implied. I have a general aversion to the concept, though, but maybe I'll warm to it over time.

0
0
Silver badge
Devil

Re: Single login?

Indeed this is one of the aspects I hate about Google. What has Google Code to do with YouTube?

1
1
Silver badge

Re: Single login? @roomey

"Unless of course you have a different email account for each website.... But what happens if you reset them email account passwords"

I'm not sure if you are asking what I think you are asking, but I have specific e-mail addresses for certain accounts, all of which forward to another account that I monitor regularly. All password request changes go to that account too. I know about any changes without actually ever visiting the accounts ...

0
1
Big Brother

Sounds like a great facilitator ...

For the NSA etc.

Rather than having to ... demand information (I was going to say issue a warrent or subpoena but...) from multiple sites, they can just demand your authentication from the persona service.

Presumably the system relies on the persona service validating the certificate , so if they say "yes, this NSA certificate is valid for this user" then the trusting websites will let them in to any-ones accounts?

0
0

Better for most people

In my experience most people use just one or two passwords for everything and just one or two email addresses too. We all know that this is a bad thing but I can't even persuade my wife (who is quite tech savvy) to change her ways; what chance with the rest of the world?

Persona isn't perfect but it is a lot better version of the single password everywhere option. Who knows we might even be able to persuade people to change their passwords occasionally if they only have to change it in one place.

1
1
FAIL

improper usage of API

Error

Please close this window and try again.

Action: error in https://webmaker.org

Now: Fri, 09 Aug 2013 16:11:00 GMT

improper usage of API: Error: Could not get IdP Verification Info

0
0
This topic is closed for new posts.