Why can’t we have federated identity to login into fediverse instead of creating login for each instance?

  • Kichae@kbin.social
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    So, anyone can spin up a Lemmy website. They’re all independent sites, with independent and unaffiliated admins.

    In order to sign in to a website with a given set of credentials, that website needs to know something about those credentials. Importantly, they need to know something about your password.

    And that’s a security nightmare that no user should be ok with.

    Now, there are single sign-on (SSO) possibilities, but for them to be universally accessible across the Fediverse, you either need to impose them on 20,000 admins across two dozen software implementations, or you need them all to a) agree to support SSO, and b) agree to support the same SSO options.

    Despite the fact that most of these websites look the same, they’re all completely different websites, and while they can be treated, on first glance, as having the same content, they’re very different places run by very different people. They can’t be treated like a singular entity.

    • masterspace@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Now, there are single sign-on (SSO) possibilities, but for them to be universally accessible across the Fediverse, you either need to impose them on 20,000 admins across two dozen software implementations, or you need them all to a) agree to support SSO, and b) agree to support the same SSO options.

      Yeah, this is the real crux of the issue and is a large unsolved problem. We simply have no standardized system for decentralized identity verification.

      SSO works as a way of maintaining identity across the fediverse, but that’s not really federating identity so much as it’s getting all instance to offload identity verification to various central services.

      I believe I heard Microsoft had a research project in the area of decentralized identity verification but I don’t know if it went anywhere or how suitable it would be.

      • theJoker8814@mastodon.social
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        @masterspace @mango_master @Kichae

        The matter of fact is , just in simple terms for SSO to work, every fediverse implementation has to agree on a standard for federated authentication.
        Maybe, I’m just not seeing the issues or don’t really grasp fediverse and it’s implementations yet.

        My idea, every fediverse instance is unique (no matter the implementation, i.e. mastodon, lemmy, pixelfed,…).

        • theJoker8814@mastodon.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          @masterspace @mango_master @Kichae

          If that’s given, every entity (@‘person, @‘community, …) on each instance is unique.
          Therefore, there can never be a duplicate identity = <entity>@<instance.domain>
          Which allows the general assumption (all implementations adhere to the standard) each instance (homing instance, where the user is based) can verify the every identity within it’s domain.

      • anji@lemmy.anji.nl
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        But do we need some kind of SSO layer with DID verification? All I need to prove my identity anywhere, technically, is my private+public keypair. As long as I hold on to this keypair, distribute it between apps/computers, back it up, I could log in anywhere on a federated platform and use it.

        I hope we’re going to see key-based decentralized identity on ActivityPub at some point… Having accounts tied to instances is just not very robust or scalable.