The most popular and comprehensive Open Source ECM platform
Single sign-on (SSO) creates a single authentication mechanism that allows a user to gain access to multiple software systems after logging in once. It eliminates the need to separately login to each application that the user interacts with and reduced complexity for the user since only a single password is used across all applications. SSO is often used by businesses for users to access applications running within the local internet, but it increasingly is being used by consumer web-based application.
OpenID is a popular web application SSO authentiction mechanism that is used by Google, PayPal, Facebook, JanRain, Freelancer, FarmVille, Sears.com, Universal Music Group, France Telecom, Novell and quite a few other consumer web sites. In fact, as of 2009 there were over one billion OpenID enabled user accounts and more than 50,000 web sites accepting OpenID.
But how secure is SSO? Surprisingly it’s an area that really hasn’t been given that much attention, despite it’s increasing use. Because of the complexity of the technology, many developers often implement SSO without a solid understanding of how it works, resulting in implementations with security flaws. New research finds the security of SSO to be “worrisome”.
In a paper byIndiana University and Microsoft researchers Rui Wang, Shuo Chen, and XiaoFeng Wang, 8 serious security flaws were found with OpenID SSO authentication. Rui Wang commented that “These bugs allow an unauthorized party to log into legitimate users’ accounts … thereby completely defeating their authentication protection.” XiaoFeng Wang said that “The problem here is that the authentication system makes life easier but it makes security management more challenging.”
The two biggest reasons for why these flaws exist is:
- poor integration of web sites with the OpenID API
- lack of end-to-end security checks
The research paper concludes that ” security-critical logic flaws pervasively exist in SSO systems, which can be discovered from browser-relayed messages and practically exploited by a party without access to source code or other insider knowledge of these systems. This overall situation is serious. Clearly the scale of the problem is beyond what we can cover as a single research team, so we wish this paper can be a call for a collaborative effort of the SSO community. In addition to those reported, we are discovering and confirming new flaws in other web SSO systems.”
Steve Watts, co-founder of SecurEnvoy said that “The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and – in particular – wireless Internet connections, there is clearly a need for 2FA technology”.
Phil Lieberman of Lieberman Software said that “Federation and SSO are designed to make the user’s life easier, not improve or even maintain the security of their transactions. Logon convenience has its costs, and with free authentication services, you get what you pay for. These systems were not initially designed and hardened for financial transactions. Further, there has been precious little to no oversight over the security of their implementation. The lesson to be learned here is that many cloud-based solutions for authentication and security should be treated as unproven and insecure in most cases.”