Sunday, May 30, 2010

Single Sign-on Startup Opportunity Has Passed

For as long as I can remember, computer users have been complaining about the array of names and passwords required to get work done – a different unique user identification name and password are required to start the computer, email, social networks, banking, read online news, connect to the office, or check your phone bill.

Computer jocks all fantasize about having one magic password or bionic finger that will eliminate the “sticky notes” that normally line the displays of avid computer users. So why hasn’t this problem been solved long ago by the many experts, startups, and “solutions” already out there?

Certainly this is a challenging technical problem, if you look at the problem in a macro sense:

  • Must accommodate existing applications with proprietary login functionality
  • Enterprises expect a solution across disparate old and new platforms
  • At least two authentication technologies are competing: Kerberos and digital certificates
  • Multiple levels of security required – sign in to instant message vs transfer funds
  • Passwords have to be changed often, and increasingly non-trivial to foil hackers and bots

But I suspect the real problem here is that the dream of a “one size fits all” solution simply doesn’t make sense. It’s sort of like the people who think all cars, or even all vehicles, should operate and drive the same. It won’t happen, for some very pragmatic reasons.

What will happen and should happen is that sign-on will get more automated, more intuitive, and better remembered across relevant access domains. The alternatives out there now have come a long way:

  • Early hardware solutions involved plugging in a USB “dongle” or security token which had a unique hardware id that could be automatically polled and associated with your unique sign-ons. Matrixlock, Senselock, and UniKey are among the popular vendors even today.
  • Later came a flood of software packages that stored an encrypted version of your userids and passwords on your hard file. These are essentially an automated and secure version of the post-it notes, and include names like KeePass and Mitto.
  • My laptop has a built-in fingerprint sensor that can be easily set up for a specific password when “swiped.” IBM invented this, but most others have it now also. Secure Services Corporation has a software implementation that uses biometrics.
  • There are numerous single sign-on products on the market, such as PassLogix, AccessMaster, Entrust/SignOn, MetaPass SSO, OneSign, and SecureLogin. These typically take some integration or special setup to work with existing applications.
  • The latest type of solution is called a “web profile aggregator” built as a portal to a group of similar applications or premium content which can be accessed through a common login. Examples include, Mugshot, and Naymz. A new one I have used is called iLogon.

As Web 2.0 takes over the consumer world, and Software as a Service (SaaS) finds a place in the enterprise, this problem gets easier. My goal is to get down to a half-dozen logons and passwords, or even just a single sticky, and with the tools above, I’m almost there. I’ve already eliminated the unencrypted text file of passwords on my laptop.

From my perspective, a half-dozen variations is about right, to match the different types of applications and security required. So let’s forget that fool's gold for startups to think that they can achieve "single sign-on" capabilities for their users. I think it’s time to add this one to my list of startup opportunities whose time has come and gone.

Marty Zwilling




  1. Sir I am new to this, but was been quite a user of openid and products, can you please explain a more is the future also have gone for such big platforms like

    Can't new startups can watch and do something on this?

  2. of the various ones you describe, which did you settle on? Thanks

  3. @The Angel Pitch Guy, I have an IBM Thinkpad, so I use the bionic finger sensor. Otherwise, I don't use any of the tools. I have high, medium, and low security passwords which I reuse for many services.

    @Anonymous, the problem with Openid and other initiatives is that every application has to implement and maintain it, which costs them money and time. That will never happen for legacy apps, it's tough to convince any app company to implement multiple logon schemes. As a result Openid and others like it are suffering, and very slow to be adopted. That's one reason I say this is not a good startup opportunity.

  4. Sir I agree with you at some extends, but if i want to start in field like starting some small statup what would u recommend me beside these ideas?

    What is hot and new tech. trends you would like us to recommend?

  5. Hi Marty,

    I’m a big fan of your blog, and read it daily. I was excited that my startup, Mitto (, was referenced in today’s post, even though not with complete accuracy. I wanted to clarify that Mitto is an online password manager. Nothing is stored on your local computer, and your credentials are stored securely encrypted in the “cloud” (SaaS), making them accessible securely from anywhere.

    I have to disagree that the opportunity for a single sign-on startup has passed. I’ll provide a few key points here to make my case as to why startups like Mitto (a free secure and easy to use online password manager) address a market need with growing demand.

    1. People want access to their passwords from everywhere. Internet users often use more than one computer to go online (home, work, school, etc.). Because we are an online password manager, this means that you can always have access to your most up-to-date passwords on your laptop, your desktop at home, or any other computer without needing to synchronize or make backups. This is where traditional password management solutions fall short.

    2. Users want a solution that works with all their passwords. Mitto works with any website (we have thousands you can easily search for & add, but adding your own is easy), and doesn’t require special integration to automatically log you in. You can watch this short video showing how easy it is to use our Mitto Bookmarklet to log you into your sites. Although it has been implemented by many sites, OpenID can never fully solve the password problem for the average user because most sites can not (don’t have the technical expertise) or will not (don’t want to) implement OpenID or similar technologies. If, as a user, four of my password protected sites don’t use OpenID, then I still need a way to remember those passwords. Mitto also allows you to store other types of passwords and additional information (tags & notes), something lacking in OpenID.

    3. People want ease of use and security without the hassle. The average consumer doesn’t want to carry around an extra key fob or USB device just to use when they want an additional layer of security when they log in. Mitto adds two-factor authentication by using something that most people already have, a cell phone. Each time you try to log in from a public (untrusted) computer, you’ll need to enter a unique one-time code that is sent as a text message to your cell.

    4. There is a growing need for a way to manage shared passwords among individuals. Here are just a couple of examples where people need to share a password:
    * a family sharing a Netflix account
    * roommates sharing access to the cable bill website
    * students sharing access to an online document repository for a project
    * a small travel company whose employees share access to a common booking portal

    Our password sharing feature lets you share these passwords, and manage them so that if one person is required to change the password, it gets updated transparently for the others.

    A number of the technical challenges you bring up resonate more in larger, corporate environments. Mitto is oriented toward individual consumers and users within small businesses.

    I hope you’ll take a moment to get more familiar with the Mitto service and see how it can make managing and logging into your websites easier and more secure. I’m happy to take the time to explain any feature to you or to answer any questions.

    Keep up the great posts.

    Arsen Ovanessoff
    CEO and Founder

    Follow Us:

  6. @Anonymous, for some other opportunities for startups, see

  7. @Arsen, thanks for your positive feedback, and a good overview of Mitto. I need to take a hard look at this one.

  8. LastPass is the solution.

  9. Nice article, Marty.
    I recently wrote an article that documents some pros and cons of OAuth, and why we finally decided against implementing OpenID authentication for our own authentication process.

    Keep up the good work!

  10. Implementing the functionality of login the main key points that are concluded are its authentication and token key which helps to implement the login.These steps are helpful for implementation of its functionality.

    openid connect