Federated Logins: A security risk?
Now that Google and Facebook have launched their passport 2.0 systems for logging in with your google/facebook credentials on 3rd party sites, are we heading off a security cliff?
I’m not talking about a potential for sniffing a cryptographic key enroute to a credential server man in the middle stolen token key attack or anything, I’m talking about the hardest security problem of all: bad user behavior.
People are not machines and do not follow protocols like computer programs do: people give their bank details and sort code to the nice man from Uganda, people download that email attachment with the title “nude.girl.jpg.com”, and people don’t recognize that domains are read from right to left: paypal.com.secure-login.farm80085.kp/login/ might not really be where you think it is.
So by encouraging people to get used to logging in with their credentials when they are at other people’s sites, are we encouraging a bad habit? I enjoy the benefits of single-sign-on as much as the next guy, but will the next generation of phishing attacks be based on spoofing Google and Facebook connect?
