starseerdrgn: Reihanfēoru-kama (Default)

Every time I turn around, I see someone in the tech industry say that developers "shouldn't even try to handle passwords themselves", and to rely on things like Google SSO, Facebook Connect, and Login with Twitter. Sadly, that's insecure as well. In fact, they're as bad as using nothing but email to authenticate someone.

More below... )

starseerdrgn: Reihanfēoru-kama (Default)

So, I came across IndieWebCamp not too long ago, and really liked what their message was: take back your online identity. Then, I found their Web Sign-In authorization system, and everything kind of fell apart for me.

When your sign-in system requires the use of the very sites you're encouraging people to leave, you have a problem with hypocrisy. When you put down a log-in system that the user can provide from their own server (OpenID) as "too hard", you have a problem with laziness. Authentication isn't supposed to be easy. Otherwise, you run into what Twitter users see every time they run into one of the meme services: an OAuth application that hijacks their identity by continuing to use the permissions given to them without alerting the user.

Of course, open services have major issues with taking off as well. Mozilla Persona is being shut down, and OpenID is now using OAuth 2 (which I stills don't trust thanks to all of the hell I've been through). I don't see why people can't promote decentralized authentication, especially when centralized authentication is one giant target for hackers.

Yes, I'm going there.

If you throw everything behind Google Single Sign-On, Firefox Accounts (Persona Replacement), Facebook Connect, etc..., you have your identity for everything in a single place. This is a black-hat hacker's best case scenario, allowing them to effectively control everything connected to that user's account with little effort. It becomes trivial once they get in.

I myself was a victim of such an attack, with the hacker bypassing my second factor of authentication on Google (I had two factor auth enabled with my phone). I lost access to my email, IM service, Twitter account, Facebook account, Steam account...Effectively everything in my online life. It wasn't fun, and I learned my lesson from that incident.

I honestly wish OpenID would take off again. I want to see someone beat Twitter, Facebook, and Google at authentication, especially with two-factor. I think a decentralized Persona-based solution might be the best bet (seriously, it's dead simple to use), but in a world where developers rely on a cloud service to set and store avatars (Gravatar), everyone is just too lazy or don't care about such problems, and it's depressing.

This is the open web. Why can't we help make it more open?

January 2017

S M T W T F S
1234567
891011121314
151617181920 21
22232425262728
293031    

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 24th, 2017 06:48 am
Powered by Dreamwidth Studios