SSO technologies have been around for over a decade now, we all have used them to some degree.
Apples Keychain goes back to PowerTalk, combining multiple email accounts with a single set of credentials. Microsoft Passport expanded the idea further combining the logins to navigate around Microsoft’s many portals, Hotmail, TechNet etc. While Passport has expanded with Passport Wallet to include a payment system it still has a limited number online retailer, Microsoft has never added enterprise connectivity to passport, and the vast majority of businesses rely on Microsoft’s implementation of Kerberos to navigate around their diverse networks. Unlike Apple who recently announced at the Apple International developer conference WWDC this week that they are adding a true enterprise aspect to their Keychain technology.
But what is a little worrisome here, and it’s been confirmed by speaking to an Apple developer is that it’s going to be encrypted and stored in the cloud, well there’s nothing really wrong in that itself many services are now offering that as a service, all your credentials in one place that you use a single set of credentials to access. Great if your Mac self-combusts, or you lose your IPAD, you can be logging into your favorite retailer to buy a new one straight away. With the recent revelations of Prism that Apple are one of the companies signed up to give US Government departments access to any amount of data although they deny this, and the possibility that to do that these data stores have had back doors inserted to assist this access. Do we really want the all of our corporate as well as private credentials potentially exposed in this way?
A journalist friend is very unhappy with the situation; he spoke to an assistant at an Apple Store who said this “feature” of your individuals Keychains being stored on Apples cloud service was not optional.
It’s actually a great idea, SSO is, it means you can use stronger unique passwords for every account and only have to remember the one which you can afford to make extremely strong, and then to have them safe keep it for you. But I think I would want guarantees that this data would never be shared, after all, if thousands of individual companies might not value our confidentiality and therefore security, but we can pick and choose, but if the person that’s carrying all our eggs in his basket can’t be trusted that’s something very different. I personally would like to see introduction of a 3rd factor in the authentication, maybe an encrypted USB key brought into common use, maybe that all banks signed up to and stored backups of as part of their service.
The Prism story is still very much in the news and I expect it will run for quite some time, I have no idea what to believe, US partisan politics do confuse me, investor.com claiming that Mosques were excluded from any monitoring which might surprise some who thought that was the whole point of the exercise, and threats that the American Civil Liberties Union is to sue the US Government and Apple are some of the more colourful ones.
On the bright side, as reported by canoe.ca, is that AgileBits who have been developing a similar system, welcomed the news as a “a validation of our message and what we’ve been building with 1Password for over half a decade,” emphasizing that educating people on the “importance of strong, unique passwords” they also remind me that LastPass should also be considered and has a free option for home users.