Safety & Security

Single Sign-On, or My Global Password

You may have noticed that when signing up for a new service online, additional options are being offered, for example “Sign up with Facebook”. Known as Single Sign-on, this trend toward the global password will continue, with the resulting privacy issues becoming even more a hot button topic.

Single Sign-On

Here’s an example of single sign-on, on a sign up form for TripIt, a site that lets you organize and share travel itineraries online. TripIt offers the standard method of creating an account with them – provide your email and (yet another) password – as well as options to sign up with your Google or Facebook accounts.

While this technology has been around for years, it is only now gaining traction across the Internet for the general public.

Basically, two organizations agree to create a trusted relationship that allows users to sign into both accounts using the same credentials. The technical term for this relationship is called a “federation”.

When you sign up with TripIt using your Google (or Facebook) account, TripIt doesn’t actually get to see your Google password. Rather, Google checks your password, and Tripit gets a unique key that identifies you.

Sounds safe, right? And one less password to remember!

But is that all there is to it? Let’s see what happens next.

What Happens Next

Hmm. TripIt wants my Google contacts, and my calendar. What will it do with this data? Names and email addresses are valuable assets for any company. Before you know it, TripIt will be sending targeted marketing to all my friend’s inboxes. And my calendar? Who knows what they do with that, but I know I don’t want them to have it. I clicked “No thanks”.

What about signing up using Facebook? Let’s see.

They’ll take my friends, photo, and “any other information I’ve shared with everyone”. Managing Facebook privacy settings is another topic altogether. You probably share more information than you realize. I wouldn’t recommend this either.

Be Aware of What Information Is Requested

I don’t always block single sign-on. I elected to allow a Google login to the task management site “Remember the Milk” because they only asked for email address, country, and language. Seems harmless enough.

However, once you have established the connection, it’s always possible they just won’t be able to resist tapping into the rest of your valuable data at some point in the future.

Will they need to explicitly ask for your permission first? For that, you might need to read their privacy policy.

HA – I’ll get right on that! Organizations are betting that you won’t read it, and most don’t.

Who Profits

Is anyone making any money from this? You bet. Google, Facebook, and a few other organizations have grown so large that the personal identity data they hold has itself become valuable.

So whether they charge for single sign-on technology, or use it to increase their user base, your personal data is being leveraged.

Ultimately, the technology may evolve so that each individual has a single online identity that can be recognized everywhere – a valuable commodity to any federated identity hub or broker.

Bottom Line

While theoretically having to remember just one password sounds great to me, just be aware of what information is requested each time you choose to use single sign-on.

You might ask yourself if the efficiencies gained by having a “global password” are cancelled out by the extra diligence required to protect your personal information.

Who is really gaining here? Expect to see this trend continue, with the resulting privacy issues becoming even more a hot button topic in 2011.

Leave a Reply