The ins and outs of single sign on

With many technology and security events, such as Infosecurity Europe 2019, being in full swing, a number of tech goliaths are making some pretty bold statements.

It seems that the tectonic plates making up the technology landscape are indeed shifting, but it is anyone’s speculation to envision the end result…yet.

The biggest one by far this week was Apple announcing its plans to develop an Apple ID as an authenticator for online products and services.

So many of us are guilty of using Google, Twitter or Facebook credentials to enter into third-party services. Primarily, it was out of  convenience, as it meant you only needed to remember a single username and password to access a great many services. In a weird way, it behaves as modern-day password managers, like Log Me In or 1Password.

However, there is a huge difference. Unlike reputable password managers, Twitter, Facebook and Google’s kerching comes from targeted advertising. However they can legally (and sadly sometimes illegally), get their hands on your personal data, the stuff that describes you, how you look, what you like, what you hate, what you do, etc, they will. And should: They need that info to sell their ad spaces. Ironically, it would probably be irresponsible to their shareholders to do anything else (other than illegal stuff, obviously).

But there has been little alternative until Apple’s recent announcement about single sign on. Monday at its 2019 World Wide Developers Conference, Apple unveiled its own single sign-on service, in a direct competitive strike at Facebook and Google’s services.

Apple, like reputable password managers, do not make their money from targeted advertising, but rather from selling the hardware, software and services. With its new single sign on (SSO), the company is now boldly differentiating itself from the others by putting privacy at the forefront of its strategy.

The one serious game changer is its concept of using throw-away email addresses with third party services that automagically make their way back to your inbox via Apple services:

“Even better, Apple’s SSO solution, dubbed prosaically “Sign In with Apple,” gives you the option of signing up for third-party sites and apps using a unique, disposable email address that automatically forwards to your iCloud email address. Services and apps with which you use this feature won’t know your real email address,” explains Tom’s Guide:

Meanwhile, Microsoft said mandatory password changing is “ancient and obsolete”

“…Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.” according to Ars Technica.

This is interesting. You might remember that Microsoft is working on a single sign on service with Mastercard. This was announced last Christmas – but there has not much noise on it since then.

Actually the Microsoft-Mastercard duo is planning something bolder than single sign on. It is access to a universally-recognized digital identity that promises to unlock new and enhanced experiences for people as they interact with businesses, service providers and their community online. They list:

  • Financial Services: Improve and speed the applicant identification process for establishing a new bank account, loan or payment service account
  • Commerce: Enable a more personalized and efficient shopping experience online and in stores, regardless of the payment type, device or service provider
  • Government Services: Simplify interactions with government agencies and services – such as filing taxes, applying for passports or securing support payments (e.g., Social Security)
  • Digital Services: Streamline and provide easier use of email, social media, movie/music streaming services, and rideshare platforms

Ooof, right? Big stuff. You wouldn’t be crazy to think it had some teeny tiny overlap with China’s social credit score.

So the convenience to the user will be the selling point, but we need to also ask how this might change the cyber landscape.

Apple is doubling down on privacy, while competing forces are trying to tie all (and know all) into a single universal system.

All I can say is watch this space.

Previous ArticleThe Delicate OpSecs needed to secure Supply Chains Next ArticleTake aways from the NASA Raspberry Pi “incident”