It would seem to me so much simpler to provide a simple storage unit package where people could enter all of their user names and passwords, so even if they forgot one, they could just call up this package and refresh their memories. This would be stored locally, and either biometrically authorized, or strongly encrypted. It could even be exported and stored off-site for security, and work-around style implementations are already used by those in the know (PGP'd Doc stored on floppy in fire-proof box, for example...), so why don't Netscape and IE offer something like that instead of their "I can save every password you want me to somewhere else that you can't see in a probably unsafely secured location on your computer so that every time your spouse visits this site using your profile they can see what you've just ordered them for christmas" box that pops up everywhere you go........
Jeff Neithercutt CNA, GSEC Wells Fargo Bank Corporate Information Protection 155 5th Street MAC 0186-030 San Francisco, CA. 94103 (415)243-5549 -----Original Message----- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Monday, November 12, 2001 3:25 PM To: [EMAIL PROTECTED] Subject: Re: Single Sign On Software and One Time Password I was just reading something that someone forwarded me from Tech Republic I think (doesn't really matter as the author's e-mail address is included, so you can write there directly). This might interest you as you are looking into this technology right now. >> WHY SINGLE SIGN-ON IS STILL A BAD IDEA >> Why are so many companies interested >> in single sign-on services and centralizing >> customer information when it's fairly >> obvious that (given a choice) consumers >> wouldn't choose to store this personal >> information online? >> >> Obviously, this is a rhetorical question. I >> understand that it's all about marketing. >> With detailed customer information >> available real-time in a large, distributed >> database, targeting marketing based on >> that information is bound to occur. And >> since such a data store is intended to be >> accessible across the Internet, abuse of >> this data, either intentional or by accident, >> is also likely. >> >> To me, the entire issue of single sign-on >> introduces the type of monitoring and >> access control issues that border on >> invasion of privacy. Not to mention that >> wily hackers, eager for the crown of >> "Ultimate Hack," will do whatever they can >> to find vulnerabilities and exploits on any >> large-scale database, like the one Passport >> provides and the one that Liberty Alliance >> Project proposes. >> >> Single sign-on services are a horrible >> simplification of authentication that is >> needed. I want to be authenticated when I >> try to view my bank account! I want to type >> in a different username and password when >> I need to! If one of my usernames and >> password gets compromised, at least it only >> gets compromised in one place. Most people I >> asked agreed that single sign-on is a bad >> idea, based on the explanation I just gave. >> >> So for now, count me out of being a >> participant in the Liberty Alliance Project. For >> that matter, I'm perfectly content keeping my >> multiple username and passwords for access >> to myself--which is where that information >> belongs in the first place. >> >> To comment on this TechMail, write to Jonathan Yarden. >> mailto:[EMAIL PROTECTED]?subject=Internet%20Security >> >> Jonathan Yarden is the senior UNIX system >> administrator, network security manager, and >> senior software architect for a regional ISP. Jon >> is also a member of the FBI InfraGard program, >> a partnership between the FBI and the private >> sector. JayW >>> "Vicki Vinson" <[EMAIL PROTECTED]> 11/11/01 08:40AM >>> Computer Associates has a Single Sign On app >>> "eko yulianto" <[EMAIL PROTECTED]> 11/08/01 10:29PM >>> Hello, I looking for software for Single Sign On and One Time Password solution for my company, does anyone know which software that I need to used or the best one ? Because I will implemented that requirement in many platform ( Win9x, W2K, AS/400, OS/390, ) and each platform have limited features for authentication process. Thank's for any help and comments. Eko Yulianto IT Security Menara Asia 3rd Floor Diponegoro 101, Lippo Karawaci Tangerang, Indonesia Phone: +62.21.5460666 ext.5335 Fax: +62.21.5460660 Post Office: 15810 E-mail:[EMAIL PROTECTED]
