I chose not to use the original title for this submission because it's clearly clickbait. The discussion of passwords vs. federation is interesting, though, so I still wanted to share this article.
I chose not to use the original title for this submission because it's clearly clickbait. The discussion of passwords vs. federation is interesting, though, so I still wanted to share this article.
I think it's amusing that Mr Risher thinks this is what we're really worried about. Or maybe it's just his cynical attempt to pretend he doesn't know what we're really worried about. And there is...
I will take the blame that we have not really articulated what happens when you press that “sign in with Google” button. A lot of people don’t understand, and some competitors have dragged it in the wrong direction. Maybe you click that button that it notifies all your friends that you’ve just signed into some embarrassing site.
I think it's amusing that Mr Risher thinks this is what we're really worried about. Or maybe it's just his cynical attempt to pretend he doesn't know what we're really worried about.
We only log the moment of authentication. It’s not used for any sort of re-targeting. It’s not used for any sort of advertising. It’s not distributed anywhere.
And there is what we're really worried about: that Google is tracking everything we do when we use a Google account to sign in to a non-Google site. And why wouldn't they track that? That's their core business: tracking user behaviour to serve them more relevant ads. So it's unusual for Mr Risher to claim they're not tracking us when they have the perfect opportunity to do so. And, given their known behaviour, I think we have the right to be cynical about this claim.
But doesn’t using SSO just mean there’s a single point of failure? If your Google password is compromised then all connected accounts are compromised as well.
But doesn’t using SSO just mean there’s a single point of failure? If your Google password is compromised then all connected accounts are compromised as well.
Mark Risher addresses this directly in the article:
Mark Risher addresses this directly in the article:
People often push back against the federated model, saying we’re putting all our eggs into one basket. It sort of rolls off the tongue, but I think it’s the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it’s a basket that is protected by 12-inch thick steel doors. That seems like the better option!
That factor is more than likely considered when engineering an SSO login and the convenience that comes with it. Given that the common user would most likely not have a randomly generated secured...
it doesn't solve the fundamental issue of having a single failure point.
That factor is more than likely considered when engineering an SSO login and the convenience that comes with it. Given that the common user would most likely not have a randomly generated secured password for every service they sign up for, having just one vector to attack but is continuously up-to-date with a serious backing of security experts is much better than password reuse or phishing attempts from entering a password. Obviously, I don't believe the only reason companies like Google, Facebook, and now Apple are doing this is for the benefit of all, but also to entice users to remain in their ecosystem when accounts are linked directly to their respective platforms.
There already is a single point of failure. If you use passwords, you'll be required to use an email for recovery. If someone gets access to this email, they can reset all your passwords.
There already is a single point of failure. If you use passwords, you'll be required to use an email for recovery. If someone gets access to this email, they can reset all your passwords.
I chose not to use the original title for this submission because it's clearly clickbait. The discussion of passwords vs. federation is interesting, though, so I still wanted to share this article.
I think it's amusing that Mr Risher thinks this is what we're really worried about. Or maybe it's just his cynical attempt to pretend he doesn't know what we're really worried about.
And there is what we're really worried about: that Google is tracking everything we do when we use a Google account to sign in to a non-Google site. And why wouldn't they track that? That's their core business: tracking user behaviour to serve them more relevant ads. So it's unusual for Mr Risher to claim they're not tracking us when they have the perfect opportunity to do so. And, given their known behaviour, I think we have the right to be cynical about this claim.
But doesn’t using SSO just mean there’s a single point of failure? If your Google password is compromised then all connected accounts are compromised as well.
Mark Risher addresses this directly in the article:
It’s a nice metaphor but it doesn’t solve the fundamental issue of having a single failure point.
That factor is more than likely considered when engineering an SSO login and the convenience that comes with it. Given that the common user would most likely not have a randomly generated secured password for every service they sign up for, having just one vector to attack but is continuously up-to-date with a serious backing of security experts is much better than password reuse or phishing attempts from entering a password. Obviously, I don't believe the only reason companies like Google, Facebook, and now Apple are doing this is for the benefit of all, but also to entice users to remain in their ecosystem when accounts are linked directly to their respective platforms.
There already is a single point of failure. If you use passwords, you'll be required to use an email for recovery. If someone gets access to this email, they can reset all your passwords.
Outlined. Don't reward clickbait.
Well, I would like to reward the rest of it, since I enjoyed everything but the title.
You should. The writers don't come up with the titles. That's the editor's job.
That's actually a really good point, I hadn't thought of that way.