Why you want single sign-on

[fanf]

This message contains a good rant about single sign-on:

The fact that "users don't necessarily want to have to manually authenticate each time some service wants authentication" is not the reason we want to promote single sign-on. We don't want the user to manually authenticate every time because doing so trains the user to supply their credentials so frequently that they will not think it is strange when they are asked to provide them to an attacker. The only way to prevent phishing attacks are by training users that they only authenticate in very small number of circumstances that rarely occur.

Comments

[trhodes.livejournal.com]

Wow, that is a very interesting view point. And I understand that, in some ways. Less informed users, yes, more informed users, na. Yet, you can't just single group everyone. ;)

--
Tom Rhodes

[fanf]

Yeah. At work we have a legacy of different passwords for different services, and techies value this because it allows them to partition their privileges. This makes it harder to persuade my colleagues that Kerberos would be a good thing than if we had a legacy of common passwords across services.

[trhodes.livejournal.com]

Interesting. Are there no other services but Kerberos which could provide for things like authentication tokens, etc?

--
Tom Rhodes

[fanf]

None that are deployable :-) However I have heard that it may be possible to set up Kerberos with different credentials for different privilege levels, though I have no details.