Skip to content
Pomcor

Pomcor

Research on web and mobile technology

  • Home
  • Blog
  • Developers
    • PJCL Library
    • Cryptographic Authentication for Web Applications
  • Research
    • TLS Traffic Visibility
    • Cardholder Authentication
    • Remote Identity Proofing
    • Cryptographic Modules
    • Derived Credentials
    • Archived Research Pages
  • Patents
  • About Us
    • Company
    • People
    • Recent Funding
    • Earlier Funding
    • CONNECT Springboard Mentoring
    • Contact
  • Archive
Pomcor

Tag: Altly

Altly Needs PKAuth

I was happy to read Dmitry Shapiro’s blog post about Altly, a startup that plans to challenge Facebook on privacy grounds. We need competitors to Facebook for all the reasons mentioned by Dmitry, plus a few others.

Facebook uses OAuth to implement social login (“Facebook Connect”, now called “Login with Facebook”). OAuth is insecure, because it allows an authorization code to be sent in the clear from Facebook to the relying party (the application or site that features the Login with Facebook button). If you log in with Facebook in a cafe, an attacker may be able to intercept the code and use it to impersonate you.

Another problem with OAuth is that it requires prior registration of the relying party with Facebook. This means that, if Login with Facebook becomes ubiquitous, Facebook will have the unchecked power to effectively disable most Web applications by revoking their registrations.

The registration requirement is also an additional barrier to entry for Facebook competitors such as Altly. To implement “Login with Altly” competitively, Altly will have to persuade over a million sites and applications to register with it.

To address this competitive barrier we have suggested a social login protocol, called PKAuth, that does not require prior registration. We would be happy to work with Altly and any other social site (including Facebook) that would be interested in implementing PKAuth, writing open source libraries for relying parties, and codifying the protocol as a Web standard.

Author Francisco CorellaPosted on May 31, 2011Categories Authentication, Network Security ProtocolsTags Altly, Authentication, Facebook, Identity, Network Security Protocols, PKAuth, Social Login1 Comment on Altly Needs PKAuth

RSS Feeds

RSS logo Subscribe to blog posts

RSS logo Subscribe to comments

Recent Blog Posts

  • Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space
  • A User Experience for Strong Authentication in the Consumer Space
  • Strong Authentication for the Consumer Space
  • Comparative Security Analysis of Three Cryptographic Authentication Solutions for the Web
  • Passwordless Authentication for the Consumer Space

Blog Post Categories

Blog Post Tags

  • 3DS2
  • Authentication
  • Biometrics
  • CAC
  • Cryptography
  • Cybersecurity
  • Data Protection
  • Derived Credentials
  • Facebook
  • Formal Methods
  • HCI
  • Identity
  • Identity Proofing
  • IIW
  • Integrity Protection
  • JavaScript
  • Karatsuba
  • Mobile
  • MongoDB
  • Multifactor
  • Network Security Protocols
  • NIST
  • NodeJS
  • NSTIC
  • Omission-Tolerant Checksum
  • OpenID
  • OpenID Connect
  • Patents
  • Payments
  • PIV
  • PJCL
  • PKAuth
  • PKI
  • Privacy
  • Provable Security
  • Real Time
  • Search
  • Selective Disclosure
  • Smart Cards
  • Social Login
  • Surveillance
  • TEE
  • TLS
  • Typed Hash Trees
  • Usability
  • Home
  • Blog
  • Developers
    • PJCL Library
    • Cryptographic Authentication for Web Applications
  • Research
    • TLS Traffic Visibility
    • Cardholder Authentication
    • Remote Identity Proofing
    • Cryptographic Modules
    • Derived Credentials
    • Archived Research Pages
  • Patents
  • About Us
    • Company
    • People
    • Recent Funding
    • Earlier Funding
    • CONNECT Springboard Mentoring
    • Contact
  • Archive
Pomcor Proudly powered by WordPress