Jul 132006

This discussion, led by Johannes Ernst, sought to explore ways to improve the user experience in maintaining personal information across multiple web sites.

Multiple logins on multiple sites are more than just a nuisance for the end user – a typical pattern of behavior is that end users tend to use the same login id and same password across multiple sites.  This is a significant security risk, since a malicious hacker would only need to compromise one of those sites to potentially gain access to any/all of the end user’s private data on the other sites.  The sites themselves are not affiliated, so the hacker would some luck or do some digging to find the other sites used by the end user, but that’s really beside the point.  It would take all of 10 minutes for a script to take the user’s login info to “try the latch” of a thousand of the largest bank or other web sites.

Some of the participants advocated replication of personal profiles between web sites, with user consent, while others (including me) considered this not only impractical but downright scary.  Sharing by reference rather than by replication vastly reduces the risk of someone somewhere getting improper access to personal data.  However, sharing by reference requires a more sophistocated level of communication than servers just throwing data at each other.

There were also differences of opinion over whether the large identity providers could ever be trusted or accepted by the general populace and therefore open source distributed systems currently being developed are the only acceptable solution.  (Umm..  Doesn’t large mean accepted by lots of users?  Oh, nevermind)  I’m told this point dominated another discussion into oblivion, but fortunately Johannes Ernst was able to guide the discussion towards productive topics.

Originally published on my MSDN blog.