3.2 KiB
layout | status | published | title | author | author_login | author_email | wordpress_id | wordpress_url | date | date_gmt | categories | tags |
---|---|---|---|---|---|---|---|---|---|---|---|---|
post | publish | true | Why should we have 3rd-party sign-in? | [{display_name sipp11} {login sipp11} {email sipp11@gmail.com} {url }] | sipp11 | sipp11@gmail.com | 853 | http://blog.10ninox.com/?p=853 | 2013-08-02 00:03:27 +0700 | 2013-08-01 17:03:27 +0700 | [after-works service] | [] |
After many security vulnerabilities at many sites, Ubuntu forums, for example, has turned sign-in system into only-Ubuntu One-option. This is really interesting. The reason behind is simple: keeping sensitive data like password hash far away from not-so-secure-data like forum topics and stuffs. This eliminates a lot of stress on a forum side which a team behind forum can only focus on how to make community happy, not security audit every now and then. While another team on Ubuntu One will be responsible on make things as secure as possible with one focus in mind, providing user identity.
In case of smaller teams, they also have tons of options: Facebook, Google, Twitter, Yahoo and so on. Not only don't users have to worry about forgetting different passwords on different sites, users also gets top-notch security from providers they trust. Moreover, user could careless things like man-in-the-middle attack on public wireless network. For example, I'm using Android and about to login on some websites while I'm sitting in coffee shop. If the website I want to get in has only own website login, what I need to do is filling out user and password. Yep, on the worst case, someone else might be doing ARP-poisoning and unfortunately it's not that difficult at all. At the end of the day, my login and password are compromised. It will only get worse if I use much the same login and password on multiple sites/services. However, if the website provides something like Google login option. The scenario would be changed entirely since when I tap on login with Google, browser would jump to Google login page which Browser would give you an extra option to sign in with your account on your mobile device. Soon as you choose the account, boom! you are logged on. As a result, you don't even have to expose any of sensitive data explicitly. All processes are done via temporary token which needed to prove your identity.
All in all, I think it's great to have a simpler solution, and more importantly more secure solution. This should be implemented to all web services. It doesn't matter whether it's OpenID, Mozilla Persona, Facebook, Twitter, Microsoft and so on. As long as you use the service from company you trust, it's still a safer solution than implementing your own.