Post ASkeT5oth6ucbwGYMa by scottpack@infosec.exchange
(DIR) More posts by scottpack@infosec.exchange
(DIR) Post #ASkdlrDK7iRorK4hii by raesene@infosec.exchange
2023-02-16T11:50:45Z
4 likes, 3 repeats
Here's a possibly unpopular #Infosec opinion.For ordinary non-corporate end users, SSO systems like "Sign in with Google/Microsoft/Facebook" are a bad idea.Here's the reason. It's possible to get banned from an entire ecosystem based on a perceived infraction on one site, and there have been multiple cases of this happening. When these bans occur they can stop you being able to use that SSO system, locking you out of every account that uses it.Ordinary end users have very little chance of getting a sensible response from mega-corps when this happens.The impact of being locked out of all your systems if this happens is high, and possibly a worse outcome than losing an individual credential because of a hack when you're managing your own credentials.
(DIR) Post #ASkeT51yczmSADNU6y by scottpack@infosec.exchange
2023-02-16T13:00:15Z
0 likes, 0 repeats
@raesene I agree. However the usability benefit of only having to manage one account, instead of 78, is also very real. Watching people struggle to sign into sites they infrequently use hurts. Password Managers can address this concern but their usability isn't there yet. If _I_ have to give a training session and semi-annual reminder on how to use it then it's not ready.
(DIR) Post #ASkeT5RV66CHRNJrtY by raesene@infosec.exchange
2023-02-16T13:10:37Z
0 likes, 0 repeats
@scottpack yeah in a happy path case, I can see why SSO makes sense, it's the failure more that worries me.The worst ones are where you get locked out of a Google/MS account, as then your fallback is probably an e-mail address you no longer have access to! At that point I could see people really struggling to ever fix that. You'd end up testing what companies manual "I've forgotten everything" policies are, and I'm guessing it's not good.A possibly remedy would be having an SSO provider which just does that and has some obligation to have decent dispute resolution procedures, but that'd likely require gov. intervention and we know how well that tends to work :P
(DIR) Post #ASkeT5oth6ucbwGYMa by scottpack@infosec.exchange
2023-02-16T13:57:14Z
0 likes, 0 repeats
@raesene It's definitely a bit of a sticky wicket. I _feel_ that folks are probably more likely to lose access to something like Facebook than their email. But if email access is lost then yeah.... You're going to have a bad time.I'm not disagreeing or disputing your original statements, for the record. There definitely needs to be a solution that accounts for your concerns. Somehow.
(DIR) Post #ASkeT6Gu0zJW0nMv0y by realn2s@infosec.exchange
2023-02-16T21:18:00Z
1 likes, 0 repeats
@scottpack @raesene I recently read a story were someone lost their Microsoft account because of automatically uploaded pictures from their camera. It were pictures of this sisters kids at the beach which got flagged as CSAM.So you might think that you use your account only for email, but you might not.Similar story https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html
(DIR) Post #ASl50DnrdBVpjeExcm by YTFoidLover1488@poa.st
2023-02-17T03:49:05.936380Z
1 likes, 0 repeats
@raesene Here's an unpopular #infosec opinion:Every narcissistic ghoul in "infosec" with a heavily curated public social media presence with their real name attached is a fucking fraud.
(DIR) Post #ASlQnNgxkfqfdDIKKu by xue@collapsitarian.io
2023-02-17T07:53:17.584708Z
0 likes, 0 repeats
@raesene 4 paragraphs to say that 'google can ban you and if so, you lose everything, no discussion'