I’ve been a fan of usability guru Jakob Nielsen’s regular update (Alertbox) for a long time. It’s admirable how he keeps re-emphasising the fundamentals again and again.
I suspect that half the reason I read the updates so regularly is the futile hope that somehow- maybe by osmosis- his common sense approach will percolate into my sub-conscious and lead to better outcomes for the online services I’m involved in.
Jakob Nielsen would no doubt laugh at such nonsense, throw up his hands, and demand that I user test to objectively determine that one way or another.
Anyway, his latest piece is on enterprise portals. That is not an area that I often venture into but he had some stuff about single sign-on (SSO) that caught my eye:
“Single sign-on is the Loch Ness monster of the intranet world: People hear about it and even believe it exists, but they’ve yet to see it for real…In our initial research 5 years ago, it was already clear that single sign-on could dramatically improve user productivity and satisfaction, as well as immensely reduce support costs.”
“Our second round of research confirmed single sign-on’s potential — and its elusiveness… True single sign-on was and is extraordinarily rare… We can only conclude that it’s very difficult to achieve, despite its promise.”
What’s true of the enterprise is even more so outside it, for the Internet.
The benefits and business case for enterprise SSO are undoubtedly great. But for the Internet? That’s an area that I personally struggle with, notwithstanding that SSO is the original use case for federation and, to some extent, can be provided by OpenID (provided the person has logged on to the OpenID Provider).
Now, Internet SSO does mean convenience. It surely is a good thing to log on once and then be able to do whatever a person wants across the Internet without logging in again.
What worry me are the security and privacy implications. Those aren’t that big a deal within an enterprise context but are on the Internet. And, within government online services on a national scale, even more so.
From a security perspective, it’s about the loss of keys to the kingdom- passwords are just too easy to compromise. Now, if passwords were used appropriately (i.e. only where there is a low level of identity-related risks) then the consequences from a compromised password wouldn’t be too bad. But, realistically, passwords today protect far too much and a compromised password can be a widespread disaster for the person.
Then, there’s privacy. Using the same username & password to do everything (or lots of things) then raises the possibility of aggregation of information and building profiles.
So is Internet SSO a good thing? Yes, provided it is implemented in a secure and privacy-protective manner. Problem is, can that be achieved in an economical manner (that rules out advanced crypto) for the Internet?