As attackers continue to target large databases of passwords and users grow wearier by the day of creating new accounts and login credentials on each site they visit, the larger Web players are positioning themselves as not just social networking or retail hubs, but also as authentication providers. The latest to join this crew is Amazon, which is rolling out a service called Login With Amazon that enables visitors to participating sites to login with their existing Amazon credentials.
Amazon is touting the service as a secure, easy alternative for site owners and app developers who don’t want to go through the trouble of building a registration and authentication infrastructure. The system is built on top of the OAuth 2.0 protocol, an IETF standard for open authentication. Amazon is offering SDKs for not just Web developers, but also for iOS and Android app developers.
Amazon is just the latest big company to make this kind of move. Microsoft, Google, Facebook and Twitter all offer similar services that enable users to log in to a compatible site or service with their existing accounts. Yahoo, for example, allows users to login with their Google credentials if they choose, and many services, such as the music service Spotify, let users login with their Facebook username and password. The services are an obvious convenience for customers, as well as for the site owners who don’t need to duplicate the authentication infrastructure of the larger services.
But, such systems also can be a major target for attackers looking to compromise a large number of user accounts in one operation. If an attacker is able to compromise a user’s Facbeook account–or her account on another service that’s tied to Facebook–he would then have access to all of the accounts that user has tied to the Facebook login credentials. The same holds true for Amazon, Google and the other large players serving as authentication providers.
Attackers in the last few years have made a habit out of going after password databases, especially those at large companies, knowing that many people reuse passwords on multiple sites. Password breaches have become a weekly occurrence, and users have gotten used to resetting their passwords on various sites. Reducing the number of resets they potentially need to go through is a win for users, but it also raises the possibility of there being one attack that compromises any number of a user’s valuable accounts.