SoylentNews is people
SoylentNews
I recently had a spirited discussion with someone about authenticating to various websites. I personally take the approach of making an explicit new identity for every service I sign up for — local logins only. I never user a "Social" login like twitter/facebook/google, etc to access a site.
My reasoning is:
- It's a little harder to track my movements across the web; less data for the big players to crunch has to be beneficial in some way.
- When a data breach occurs, it limits my exposure to the breached entity. With the thought that, if the place you use as your only Authenticator for all websites get's compromised, what kind of exposure does that entail?
For some background, I'm a ten year professional in Web Infrastructure, with Identity and Access Management making up a decent part of what I do. After pretty much being called an irresponsible professional and told that no identity information will leak due to the way OAUTH works, I thought I'd throw the question out to the community to get a feel for how you handle accounts to different websites, as well as the inherent tracking and security concerns thereof.
Bytram noted that we had a discussion on a similar topic a while back: Personal Privacy in a Surveillance World -- How Important is it? - SoylentNews
(Score: 5, Informative) by meustrus on Saturday August 08 2015, @01:54PM
As a developer who has worked to implement external authentication, I can tell you that OAuth is most certainly not it. It's not even intended to be authentication. That's why OpenID Connect exists, and very few OAuth providers implement it. Even their implementations are naïve and incomplete - what if you want to close a user's session after a certain amount of time, or even when they press a "log out" button? You just can't. They are permanently logged into your web site. Which comes down to what OAuth really is: it's a loose standard means of gaining decentralized access to your account information. It provides a usually secure method for well-behaved web sites to get things like your name and address and other account details, even more application-specific things like your friend network, without ever handling a user's password or needing to implement the provider two-factor authentication.
Honestly I'm not interested in sharing that kind of profile information outside of the people that have it, but depending on the implementation you may not even be asked for permission. OAuth mainly solves the "problem" of cross-domain cookie snooping. It provides an API to extract specific information from your cookies for other web sites (I am including in that information which could be acquired with the cookies, not just information that is explicitly stored there). And while OAuth makes it possible to develop fine-grained permissions per website which can be revoked at any time, the OAuth provider doesn't actually have to give them to you. The big players do for the most part. But they could stop at any time. And as we've known for quite some time, anybody using social media buttons is already leaking your browsing habits to those networks.
Make no mistake: OAuth is not a secure standard. It's not the best standard. It's the first and only standard for this kind of sharing. It solves many problems that many of us have no interest in being solved. And the first version was so fatally flawed that OAuth 2 really looks nothing like OAuth 1. Which is good. But it's also telling.
Anyway I seriously doubt that SoylentNews has the kind of audience that would be interested. Slashdot maybe. But not SoylentNews.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?