Hi Lukas,
Your question reminded me of a conundrum I have little understood. In light of what FIDO brings to the authentication space, I am going to try to challenge you (and others) to question your premise around "single sign-on" (SSO) technology. The goal is not to put anyone on the defensive about any specific SSO technology, but to debate whether SSO is even necessary in light of what FIDO offers.
You have to step back into the late '80s and early '90s to understand why SSO was really needed. Enterprises had a mish-mash of technology solutions: mainframes running SNA LU6.2, mini-computers with DECNet and other proprietary protocols, Netware LANs, a smattering of UNIX systems running TCP/IP, and OS/2 with LAN Manager, etc. Everybody was using usernames and passwords. And, everybody had different schemes, algorithms, and protocols for dealing with them. The complexity of managing this was daunting enough that companies were investing serious money to solve this problem.
As networks were starting to coalesce around TCP/IP and public-key cryptography made a splash, for a while in the late '90s, it seemed that the password problem could be eclipsed by that original passwordless authentication protocol - SSL ClientAuth - with X.509 v3 digital certificates. But, that bubble broke with the dot-com crash; and passwords that were restricted primarily to enterprise networks at the dawn of the internet, exploded to affect every consumer that needed to authenticate to a restricted website. Leading us to where we are today: a mish-mash of SSO protocols and schemes.
FIDO is, essentially, a reboot. An advanced authentication technology that:
If a FIDO server can authoritatively return an authentication token in a few seconds to any web/mobile application, why burden the application with a legacy SSO protocol that adds yet another "band-aid" to what was already a band-aid from the previous century? Why not cut the crap in the middle and just get an authoritative answer from the source?
SSO tokens - whether they are SAML, JWT, etc. - must be verified
thoroughly because they represent a "man in the middle" of the
authentication flow; why introduce or maintain a man in the middle
when the protocol was designd for privacy. Why add the legal
burden of determining who is responsible for privacy violations
when the MITM is breached?
Ah! The answer is "legacy applications". SSO was written into applications in an age when passwords ruled the world and companies needed to alleviate the burden of users who were forced to authenticate to dozens of systems within the enterprise. The cost of SSO was less than the loss of productivity and consumer frustration with password management that SSO is accepted as a defacto standard. But, when passwords have been eliminated and strong authentication has been simplified, does it make sense to continue carrying that cost of SSO? The technical compexity? And, the legal burden in a world that is increasingly regulating privacy? (Note that similar questions arise when considering the issue raised with passkeys held by platform vendors).
It may be useful to step back and ponder whether it may actually benefit the internet to eliminate the SSO burden - and its associated risks - when an application can get an authoritative answer from a FIDO server directly with the simple touch of a button, faster than we can verify the authenticity and integrity of an SSO token.
Arshad Noor
StrongKey
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6daf5cfa-95ba-4f35-a964-3a000b130df9n%40fidoalliance.org.