Why Single Sign-On is Stabby

Want to know why I really don’t care for single sign-on? Let’s pretend I want to sign into StackOverflow.com.

The Flow

Oooh! I want to check my reputation on StackOverflow! Oh crap, this is a new computer. Let me log in!

2016-12-01_14-21-26.png

2016-12-01_14-22-05.png

Huh. Well, let’s check 1Password.

2016-12-01_14-22-42.png

Shit. I didn’t save my password. Oh wait, maybe it was Google?

2016-12-01_14-24-33.png

FFFFFFFFFFFF

Okay I think it’s the second one.

2016-12-01_14-29-49.png

Um. Okay? Allow.

2016-12-01_14-30-06.png

FFFFFFFFFFFF

That wasn’t it. Let me click Back and see if it was Facebook.

2016-12-01_14-28-48.png

I guess I’d like to continue as Aaron since that’s me?

2016-12-01_14-32-50.png

Yay!

The Reality

I originally signed up with my first Google account listed. I did NOT sign up with Facebook. After logging in with Facebook it automatically matched my account based upon e-mail address and let me in. StackOverflow is assuming that e-mail address changes on the trusted third party system are verified. I can imagine at least one of the “more login options” services would let me change the e-mail address to another user and ghost in as them using this.

In any case StackOverflow handles account creation decently. I’ve tried this SSO login on other services I didn’t have in 1Password with more stabbyness. Sometimes a new account is created every single time I choose a different SSO account.

I know I’m in the minority of most users having multiple Google accounts but I do know plenty of Facebook users with more than one. I’d rather have a known set of credentials than play the guessing game of which account was it.

Why I Use VPN on My Mobile Devices

I’m not terribly paranoid about online security compared to some. I do take some extra precautions when doing things online that involves financial data and logging into accounts.  Here are a few rules I follow internally when out and about:

  • Public WiFi should only be used when cellular data isn’t sufficient or available
  • Always ask what the SSID (network name) is when using public WiFi at a coffee shop – don’t assume you’ve picked the right one
  • Never ever do anything with financial information (banks, credit cards including purchases)
  • Never create new accounts over public WiFi
  • Wired and “protected” WiFi at hotels is just as unsafe as public WiFi
  • Use a VPN (virtual private network) to a trusted destination when using a public Internet connection
  • Secure your home WiFi with a strong password and WPA2-PSK encryption

A virtual private network connection lets you create a safe connection from where you are to where the VPN server resides.  Depending on the VPN configuration it may allow you to go back out to the Internet from there or you may be limited to local connections only on the server side.  In the case of how I use VPN, I connect to a home server which effectively makes someone in the coffee shop I’m at unable to see my online activity.

I have a Mac mini running Mac OS X Mavericks + Server at home – it actually is the machine I use in my entertainment stand for movies and recording TV off the air.  I have the VPN service turned on so that when I am out of my home I can tunnel through to home and back out onto the Internet.  VPN can be configured on most mobile devices (Android and iOS) and laptops (Windows, Mac and Linux).  It does require some technical knowledge to do this.

There are also apps you can purchase for your mobile device to give you a VPN connection.  The problem I have with these services is you have no idea what’s happening on the server side.  If the point of using VPN is to prevent eavesdroppers from seeing your secure data then you have to be able to trust the entire connection.  VPN does provide a false sense of security in the sense that it’s not securing the entire conversation.  VPN is only secure up to the end point (server).  If someone has access to that server, there is a chance they can snoop on your activity.

In the end, just be careful what you’re doing online in public areas.  Cellular data is certainly more secure than public WiFi but it’s still susceptible to snooping.  There is a fine line between paranoia and convenience so you’ll just want to determine where that line lies for yourself.