Stories
Slash Boxes
Comments

SoylentNews is people

Ask Soylent: 3rd Party Authenticators

posted by martyb on Saturday August 08 2015, @12:54PM   Printer-friendly
from the 867-5309 dept.

mechanicjay writes:

I recently had a spirited discussion with someone about authenticating to various websites. I personally take the approach of making an explicit new identity for every service I sign up for — local logins only. I never user a "Social" login like twitter/facebook/google, etc to access a site.

My reasoning is:

  1. It's a little harder to track my movements across the web; less data for the big players to crunch has to be beneficial in some way.
  2. When a data breach occurs, it limits my exposure to the breached entity. With the thought that, if the place you use as your only Authenticator for all websites get's compromised, what kind of exposure does that entail?

For some background, I'm a ten year professional in Web Infrastructure, with Identity and Access Management making up a decent part of what I do. After pretty much being called an irresponsible professional and told that no identity information will leak due to the way OAUTH works, I thought I'd throw the question out to the community to get a feel for how you handle accounts to different websites, as well as the inherent tracking and security concerns thereof.

Bytram noted that we had a discussion on a similar topic a while back: Personal Privacy in a Surveillance World -- How Important is it? - SoylentNews

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ask Soylent: 3rd Party Authenticators | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Justin Case on Saturday August 08 2015, @01:22PM

    by Justin Case (4239) on Saturday August 08 2015, @01:22PM (#219857) Journal

    Anytime someone tells you "but all those old concerns -- you can stop worrying -- they have been solved in this new zingy" you can assume you've found a liar, or a salesperson, but I repeat myself.

    "The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable."

    https://en.wikipedia.org/wiki/OAuth [wikipedia.org]

    I'm not an OAUTH expert myself but I'd suggest at a minimum you want to subject it to as much scrutiny as any other "secure"* solution.

    * Protip: another flag that pretty much guarantees you're talking to a liar.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Saturday August 08 2015, @03:17PM

    by Anonymous Coward on Saturday August 08 2015, @03:17PM (#219881)

    Nothing can or will ever leak from any secure service or protocol ... until it does.