• LWD@lemm.ee
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    Federated identity and oauth are great tools… It’s a trust model. Like the fediverse.

    Not exactly sure if the Fediverse is a great example of user privacy.

    What happens when the federated identity provider gets breached, and a bunch of identities are associated with a single account?

    How much information can actually be kept out of a database if you use a federated identity provider… A password? Even assuming they are stored in plain text, you should be using a different password per website.

    • Brkdncr@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      They handle it better and your options to respond are better.

      You can immediately invalidate all associations for instance. You can revalidate them too once your identity provider is back up and running. Okta is going through this right now I believe, but I haven’t been paying a whole lot of attention to it.

      There’s no password with federated sites. It’s certificates to prove the connection is valid, and tokens.

      The federated website could chose to save nothing about you. It would make it a lot easier for them to do so, as it means less resources to manage, and less PII to be concerned about storing.