Just like apps and websites implement “Sign in with Apple” and Google couldn’t we build some kind of federated authentication provider? Then everyone creates an account there and fedi apps can implement an easy way to authenticate users. Even non fedi apps could use it. I imagine user interaction between different fediverse platforms would be much easier too.
I guess could run an auth instance. Ideally everyone would run their own, keeping your data safe.
Is there something likes this already? Saw some discussion here but not much else https://socialhub.activitypub.rocks/t/single-sign-on-for-fediverse/712
Since I’ve moved to a password manager I find these social logins less useful. Personal opinion.
Yeah, also if the one login gets compromised, oh boy…
Anecdote time. My first e-mail account got hacked. I still had my Steam account attached to it. Now i have a VAC Ban in CS2 because some chinese kid used it for hacking ingame.
Your password manager’s login can also get compromised
It can, but is it likely to? To get my passwords, you’d need my KeePass database itself, which is only stored on computers I own. To unlock my password database, you need my password, which I have not stored digitally anywhere, and you’d need to have the keyfile. Oh which of the hundreds of thousands of files on my system is the keyfile?
So you’ve gotten my password database open. Critical things like my lynchpin email address and banking accounts just aren’t in there. Those I memorize only. All of the “This would be bad if this got compromised” accounts have 2-factor authentication.
Compared to breaking into a retailer or bank’s servers and getting hundreds of thousands if not millions of credentials, that’s a lot of effort to get one guy’s Lemmy account deets.
So we should make a remote single point of failure, maintained by someone who probably isn’t a security expert or working on it full time?
No, this is unfortunately the opposite of what we should be doing.
EDIT: I should also add that people who make password managers literally focus on only that. They understand what they are making is a huge target and any of them worth their salt have independent audits and spend much of their time on design decisions related to security. Point being: typically the weakest link in a password manager is you. Set a good password, use a YubiKey or some other device, use 2FA, etc.
Yeah it can. But then they have only my passwords. If they steal a database from a large identity provider, they have millions if not hundreds of millions of passwords. For monetarily motivated crime, my password manager is not a realistic target.
Also doesn’t this comes against the decentralization principles of the fediverse?
I imagine the auth provider could be decentralised too
I have a hard time wrapping my head around this one. If you “federate” authentication, wouldn’t that just open it up to bad actors?
That is basically OpenID which has been around for a long time. In principle there is nothing stopping fediverse instances from being OpenID providers or allowing login with an OpenID, not sure anyone has done this yet though.
Here’s the answer.
No please. Use a password manager with randomly generated usernames when possible.
But why? Just use a password manager instead of tying your identity to a Lemmy instance which you do not control.
Having SSO is reliant on having a single trusted server which has your password instead of you maintaining it yourself. This is just an unnecessary risk.
I mean a federated authentication server that you can host yourself if you want.
I don’t understand what you mean about using a password manager, you can still do that. Also your identity is tied to a lemmy instance right now anyway.
My Lemmy instance only owns this account, not secondary accounts on separate websites
Yes and no.
Decentralized IDs exist, but will almost never be accepted by any large reputable institution.
Why trust every indie site to be 100% truthful, and definitely not full of malicious haXXors?
Nah mate, I don’t think I want to trust some rando identity server with my login, and self hosting just makes them easy targets.