Member-only story
The fundamental flaw with Federated Identity and SSO
Single Sign-On (SSO) Technology has gained quite some momentum in the last few years, despite an obvious flaw
Update: As of Feb 14th 2019, nearly two weeks after I wrote this piece, Myki claims to have discovered the same SSO functionality being exploited using even more sophisticated tactic — an imitation ‘lightbox’ or modal-style DOM- popup which is not an actual “window.”
Today almost every website offers a convenient way for the end-users to sign-in with Facebook, Twitter or Google. That’s SSO: using an existing identity to get into multiple services of same or different organizations.
An obvious advantage is the convenience of not having to fill-in sign up forms all over again, verifying emails, and setting up a password (although that largely depends on how SSO has been implemented). The user can simply “login with an existing account” to an entirely new website.
The disadvantage, however is to do with how most SSOs are being implemented today.
