The Mozilla Foundation has unveiled a new Identity Bridge that links its Persona single sign-on technology with Gmail, allowing all Gmail users to log in to Persona-enabled sites without entering a username or password. Persona works by having users register their email addresses with a server called a Persona Identity Provider …
Am I the only one who thinks this whole 'single login' thing is a really, really bad idea? Hack once, rifle through many different accounts.
I'll stick to different passwords for every site, and very different ones for anything financial.
Re: Single login?
I see both up- and downsides to this. The downside is as you already described, the single point of failure. The upside is that if somebody figures out your password, it is easily changed at a single place. Many people use a single password for everything and do not even remember all the sites they have an account at, leaving them vulnerable to attack.
Re: Single login?
A possible issue with the idea of using a different password for each website is, that if your email gets broken into, most websites will allow a password reset, so the baddies will get access to all of them anyway. In effect you have the same single point of failure as you do with persona.
Unless of course you have a different email account for each website....
But what happens if you reset them email account passwords.... ahhhh pop.
Non-password authentication will always win security wise for a number of reasons, so now I just have to wait for el reg to get sorted with it :)
@Pen-y-gors - Re: Single login?
You're not the only one. SSO without some form of additional token/biometric check just seems like asking for trouble.
Re: @Pen-y-gors - Single login?
Er, Persona uses certificates. You can only sign on from the browsers which have your certificates installed.
@Dan 55 - Certificates
Good point - it isn't as weak a solution as I implied. I have a general aversion to the concept, though, but maybe I'll warm to it over time.
Re: Single login?
Indeed this is one of the aspects I hate about Google. What has Google Code to do with YouTube?
Re: Single login? @roomey
"Unless of course you have a different email account for each website.... But what happens if you reset them email account passwords"
I'm not sure if you are asking what I think you are asking, but I have specific e-mail addresses for certain accounts, all of which forward to another account that I monitor regularly. All password request changes go to that account too. I know about any changes without actually ever visiting the accounts ...
Sounds like a great facilitator ...
For the NSA etc.
Rather than having to ... demand information (I was going to say issue a warrent or subpoena but...) from multiple sites, they can just demand your authentication from the persona service.
Presumably the system relies on the persona service validating the certificate , so if they say "yes, this NSA certificate is valid for this user" then the trusting websites will let them in to any-ones accounts?
Better for most people
In my experience most people use just one or two passwords for everything and just one or two email addresses too. We all know that this is a bad thing but I can't even persuade my wife (who is quite tech savvy) to change her ways; what chance with the rest of the world?
Persona isn't perfect but it is a lot better version of the single password everywhere option. Who knows we might even be able to persuade people to change their passwords occasionally if they only have to change it in one place.
improper usage of API
Please close this window and try again.
Action: error in https://webmaker.org
Now: Fri, 09 Aug 2013 16:11:00 GMT
improper usage of API: Error: Could not get IdP Verification Info