Managing Credentials on the Web
January 19, 2011 at 11:19 pm | Posted in Cyber Security, Identity Management | 1 Comment
Tags: 1Password, CA, Cardspace, Drop Box, Facebook, Google Docs, Higgins, Identity 2.0, Identity Management, LinkedIn, Live Mesh, Microsoft OneNote, Mindmeister, MobileNoter, OAuth, SSO, Trusteer Rapport, Twitter
I enjoyed reading a good natured rant about the vagaries of managing your identity online on the Des Res blog the other week. If, like me, you work for a large organisation, you’ll probably be obliged to follow strict rules on selecting a password for access to corporate systems. If, again like me, you use a lot of websites that require you to select credentials for logging in, you may struggle to manage a large (and constantly growing) set of strong passwords without writing them down. In these circumstances, it’s very tempting to re-use the strong password for your work systems for other purposes.
Identity 2.0 or digital identity has long promised to solve these problems in a world where a user can potentially have one online identity, with a pre-certified proof which is submitted when required for authentication. This model is represented by Microsoft’s Cardspace and the open source Higgins project, but has been slow to gain momentum. However, in recent years, a number of the larger IAM vendors, starting with CA Technologies, have added support for these technologies to their Web Access Management products.
Multiple Identities Online
Of course, being able to use a single identity and set of credentials for all your online activities is a real “good news/bad news” story. The convenience of managing a single set of credentials comes at a price: it’s quite conceivable that your visits to different websites could be aggregated and correlated, to build a far more comprehensive (and revealing) picture of your online activity than you might feel comfortable with. It’s also true to say that not all web sites we visit (and register for) justify the same level of strength in authenticating our identity. For example:
- Online Banking: There’s so much at stake if your banking credentials become compromised that it’s obvious to all but the hard of thinking that those credentials should never be used elsewhere. In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport. This protection can be easily extended to other high risk sites.
- Social Media: As I’ve described on these pages before, I use a wide range of social media applications (in the widest sense of the term) to maintain my contact list, collect and collate information and publicise this blog. Each site requires a separate set of credentials, but increasingly I’m offered the chance to sign in to one application using the credentials from another (very often, either Twitter or Facebook). This makes use of the Open Authentication (OAuth) protocol. OAuth allows the user to authenticate with their chosen service to generate a token. The token can then be used to allow another application to access resources for a given period of time. So, for example, when configuring Tweetdeck, I authenticate in turn to Twitter, Facebook, LinkedIn and Google Buzz and authorise Tweetdeck to use the OAuth tokens to retrieve data from those applications until I revoke that access.
Single Sign On
This still leaves a wide range on different sites that require a login. I use a wide range of Cloud Services, including Drop Box (of which, more in a moment), Windows Live Mesh, Mind Meister (for collaborating on mind maps), MobileNoter (for sharing and synchronising Microsoft OneNote) and of course, Google Docs. These (or at least the data I entrust to them) are important enough to me to warrant good quality credentials and together they make a good case for Single Sign On. With more than 10 years’ experience in Identity Management projects, I’ve always viewed SSO as primarily a user productivity tool, with some incidental security benefits. However, I came across a story on Mashable, describing tools for managing web passwords and quickly realised that I could:
- Store all my credentials in a single location;
- Secure them with a single strong password, which never leaves my machine;
- Synchronise that credential store across multiple computers by locating the credential store on Drop Box;
- Use the same, synchronised solution on my iPhone.
So, armed with these requirements and the Mashable product reviews, I eventually settled on 1Password. As well as a management app, which sits in the system tray, 1Password installs a plug-in for all the modern browsers (I’m using it with IE and Firefox) which detects when you’re completing a registration or login form and prompts you to save the credentials. Next time you visit the site, just press the 1Password button to login. Incidentally, the Mashable article mentions that 1Password is primarily a Mac product, with a Windows version in beta. The Windows version is now in fact available as a paid-for GA product.
So, in conclusion, it’s possible to figure out a strategy to at least simplify sign on and credential management to a wide range of web sites and applications, each with differing needs for strength and protection. By and large, the tools to do this a available for free and even the commercial components I chose are available for a very modest fee. All in all, the benefits far outweigh the modest outlay of time and cash.