

Zero Sign On - 1 better or Infinitely better than Single Sign On? - pius
http://drnicwilliams.com/2008/02/22/zero-sign-on-with-client-certificates/

======
rcoder
This isn't "better" than Single Sign On; if anything, I would call it a
complementary, not competitive, technology.

A client certificate is a statement of trust for a particular _machine_ , not
a user. They can be very useful when you want to do the equivalent of IP-
address restrictions for access to a service, but want to support mobile
systems and/or need stronger guarantees than simple IP checking provides.

The biggest problem with client certs, in addition to the "multiple users
sharing a machine account" gotcha mentioned in the article's comments, is that
there is no "logout" mechanism. I can't let someone else use my machine
without logging out of the local account and in to another guest account,
because the cert is always going to be presented.

~~~
gduffy
If someone would just do the signing-dongle thing in a user friendly way,
maybe plugging/unplugging that is closer to authenticating the user
('something they have': the dongle, 'something they know': a passphrase to
activate the dongle on plugin). Then the browser could use that as the
signer/verifier.

I do something similar with a standard usb drive and pageant + portable
putty/winscp.

~~~
wmf
<http://news.ycombinator.com/item?id=114861>

------
BrandonM
This title really confused me... it looked like a really strange math
question, as in:

    
    
      0 sign on -1 better or infinity better than single sign on [what?]
    

At least, that's what I saw at first. But I'm probably the only one.

