Authorized Impersonation

Posted on September 17, 2007
Filed Under web 2.0 |

This has been bothering me for a while. Have you noticed how many site have “features” that let you add you username/password for a third party site and they will access it for you? Have you ever thought about the semantics of what is going on here, in short, the site initiating the request is impersonating you to access your private data in a way that is not entirely clear. In the process, they are storing your username and password on their system for future use.

200709171117

Lately I have been thinking twice before doing this, primarily because I’m not smart enough to have different passwords for all of my services, therefore, a security breach in one place would expose the entire portfolio of things I have usernames/passwords for.

It wasn’t until I read something in Jeff Atwood’s excellent post on the subject that I really figured out why it was bothering me so much.

This is a deplorable state of affairs. We’re teaching users that their credentials are of little value and should be freely handed out to any passing website that catches their fancy. It’s an incredibly dangerous habit to inculcate in users; it makes them far more vulnerable to phishing:

Like Jeff, I am not picking on one service provider and attempting to muddy their name. I am saying that identity is a massively exposed area for Web 2.0 and if we don’t get a handle on the technical aspects required to move away from usernames/passwords it is likely we will see a catastrophic breach of security that sets the clock back years in terms of what users will tolerate.

If you are a developer I would encourage you to read Jeff’s post on the subject, he provides some really simple suggestions that everyone building these systems can take advantage of today. More broadly, while I’m all for OpenID it is clear that there simply isn’t the momentum behind this open standard to suggest that it’s a game changer. Besides, OpenID has a similar problem, you would still have to provide a password and in the event your OpenID server was breached all of your services would be exposed.

Technorati Tags: ,

Comments

  • Feeds