The single sign-on protocols that allow users to sign in to a range of websites with their Google or Facebook accounts suffer from security flaws that could allow scammers to log in as somebody else, security researchers have reported.
The researchers, from Indiana University Bloomington and Microsoft Research, say they have found a number of serious flaws in OpenID and the single-sign on system used by Facebook, as well as implementations of those systems at several popular websites. Google and PayPal are among the users of OpenID.
"The problem here is that the authentication system makes life easier but it makes security management more challenging," said XiaoFeng Wang, one of the authors of the study.
Using a single sign-on login initiates a conversation between the website a user is currently visiting and the provider of the identifying account. The website asks for certain information to be verified, and the account provider responds with a thumbs-up or thumbs-down. But, as with most conversations, there is room for misunderstanding.