The safe way to use one Internet password
(PhysOrg.com) -- A little-used Internet authentication system from the 1980s could provide the answer for enabling web users to securely log in only once per Internet session, a Queensland University of Technology researcher has found.
PhD researcher Suriadi, from QUT's Information Security Institute, said a secure single-sign on system was more than simply using the same password for multiple accounts.
Mr Suriadi said any future single-sign on systems, which could potentially give web users access to a multitude of accounts, including email, bank and shopping, would require extreme privacy to avoid information spies and account hackers.
"Single-sign on systems are already being used by organisations," he said.
"For example, a bank could link their Internet banking site to an online trading site, thus relieving users from having to perform an extra log in step.
"However, if one of the parties is compromised, for example by a virus, a 'denial of service' attack or insecure set-up, it puts all the user's linked accounts at risk."
Mr Suriadi said his research investigated a little-used "anonymous credential system" which dates back to the 1980s, but recently received renewed interest from the research community.
"Using this credential system, we could enhance the security and privacy of a single sign-on system," he said.
"The system works by revealing as little information about who you are as necessary for logging into an account, therefore allowing you to remain anonymous.
"This way, a company wouldn't be able to track your shopping habits and target spam or marketing at you. This method could also confirm you are over 18 and not reveal your birthday."
Mr Suriadi said a single sign-on system backed by the anonymous credential system required the cooperation of businesses and organisations to enable it.
"One use of this could be for the research community, with online libraries and databases applying the anonymous credential system so that the privacy of researchers can be preserved," he said.
"This would be useful for people researching sensitive issues."
Mr Suriadi said for the purposes of accountability, such a system would also allow authorities to revoke users' anonymity in cases of illegal activity.