Also why is it sometimes called a federated ID? Does it have to be an email address or could any value work?

  • towerful@programming.dev
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    “An SSO page” as in the log in page?

    Well, first of all the website you want to log into needs to be a part of the scam (ie it’s a dodgy website or it’s been hacked). Hopefully you spot red flags for this.

    An ideal SSO login/sign-up flow would only rely on an existing session. So you go to your federated identity site yourself, login, then your identity can be used with other services.
    So a scammy website launching a login flow should be a red flag.

    The next best ideal is that a login flow redirects you to your federated identity login, giving you a chance to inspect the URL.
    Hopefully you spot the URL is incorrect.

    Any flow that pops up a new window that doesn’t have the address bar would make it easier to hide the scammy login page.

    Luckily, most federated identity sites use a fairly long session (like a month). So, if a login flow for an existing session (which would normally be a brief flash of a new window) is suddenly asking for a username and password, hopefully that is a red flag.
    Additionally, the login flow usually remembers the username/email and will only ask for your password. So it asking for your email should be a red flag ( Although, this doesn’t help if you are using a different device).

    Federated identity sites should also be used with Multi Factor Authentication. So, even if a scammy site manages to get your to enter your username password and MFA code, it’s either unusable (because it’s not time based MFA) or the timeframe of being able to leverage it is mere minutes (for TOTP).
    And the hastle of dealing with MFA is done once a day (or week or month or whatever), instead of every login.

    And finally, if a scammer/hacker gets through all of that, they have to try and take control of your federated identify.
    SSOs should be hardened to anything they do.
    When they log in, the SSO should detect a new device/IP accessing your account.
    You should get notifications of a new device loging in with a button to click that says “that’s not me”.
    That button invalidates all logged in sessions, and will take you through a credentials change flow (ie new password).

    The level of sophistication required to pull this sort of thing off is incredibly high.
    And even for compromised identities, there are instant “I’ve fucked up” notifications/buttons.
    The “eggs in one basket” thing is more like “eggs in one bunker with a lot of extra security”.