SimpleLogin Tested, OAuth

Ref link: SimpleLogin

Decided to check this service out just for fun. I don't even remember where I spotted the link or how did I find it out, but there's what I observed.

Initial experience

Yet another identity provider, and some classic security fails. First of all they send confirmation email, in the email the link description says HTTPS but the actual link is over HTTP only, not using HTTPS. What a fail. It seems that it's due some lame click tracking scheme. Of course this also means that the authentication code with the link is passed over HTTP. Well, not necessarily, it seems that the horrible click tracking junk URL doesn't contain the same authentication code which is in the HTTPS link. I guess it just redirects user to that URL, which still most likely leaks the authentication code. Let's confirm that with cURL. Yes, that's exactly as expected code 302 with location (using HTTPS), but because the redirection contained the authentication code, it's already leaked. Just wondering, why not to use the right link straight away and forget HTTP and tracking.

The email itself was sent using the SendGrid service, I guess that's they modified the links in the email by adding the lame click tracking into email a href URL references, even if the email sent to the service might have originally contained the URL with HTTPS. Let's verify using the link in email who's providing the redirection service. Yeah as expected, IP AS = SendGrid. Also the password reset link in the email is using HTTP.

Next problem, the email reset link says the link is already expired, but still allows me to enter the new password. Seems like something is broken here. Reason of course could be that my JavaScript execution is blocked, and the script should have hidden that message, if the link is still valid (?). Well, it seems that their code is broken, the password reset link is already expired when the email arrives. I don't know if some other app makes one request for that link (like email application preview pane), and the link is designed to expire after first request or something. But in general, it doesn't work. - Confirmed, that's the "way it works" ahem, doesn't work I mean. - Job done -. After entering the new password, the new password isn't stored into database, because the link is already expired. So it leads to highly confusing user experience.

Further Analysis

The SimpleLogin is currently priced very nicely, being a lot cheaper than many other similar services. Currently it supports only one domain for disposable email service addresses. As pro, the email forwarding is very fast and the emails are forwarded with minimal delay. It can be expected that if the service gains any popularity, service providers start banning it's domain to be used with disposable addresses. That's nothing new, this is something which happens to all similar providers.

The UI is nice, simple and working well and the UX is generally good, excluding the issues I mentioned earlier. Value as "login provider" is currently negligible and the service itself could also indirectly cause a security hazard. Of course using any email forwarding or external identity service for any important accounts would already be a grave risk to take. That's one of the problems with OAuth and federated identity in wider scope.

But then I've got surprised in a very positive manner. I've been writing about agile development. I sent my observations as a feedback to them, and it took around one hour for them to get all the issues mentioned above fixed. Awesome! This is what I call true agile development. So the the click tracking and HTTP links are gone, as well as the password reset links are now working correctly. Then we entered little conversion about the issues related with the 3rd party identity services and email forwarding.

But as mentioned, most of sites don't want to use 3rd party login federation due to security / trust issues? Using the SimpleLogin or any other third-party identities using proprietary or OAuth (or any other) federation doesn't provide them necessary additional value or benefits over the potential risks. OAuth is proven to be a great cross service identity / federated login feature, but everyone wanted to work as a identity provider, yet at the same time didn't want to accept authentications (or identities) provided by any other services. Which pretty much makes providing identity a irrelevant.

From the technical perspective I love everything SimpleLogin is. I were wishing that OAuth would have become widely used when it was published. But as we know, It didn't happen. Having Simple SSO to multiple services, without providing too much personal information (PII) would be great. From end-user point, I would love to have simple and easy way to login into secondary services, using SSO alone and without going through annoying user account registration. It would be perfect if forums and other not so important services would allow something like SimpleLogin to be used. Currently Google, Twitter, Facebook and GitHub accounts can be used in this manner just to mention a few popular ones. Of course the Stack Exchange has implemented these features in exceptionally nice way and there are marginal providers like Ubuntu One, etc.

Providing additional value

Maybe SimpleLogin could provide in future passwordless FIDO2 / WebAuthn logins or provide 2FA / MFA using TOTP / U2F and provide additional authentication value over systems, which do not support such features. That could bring extra value for sites which don't want to bother implementing those features by them selves. In Finland there are a few official national identity providers which are utilizing this kind of delegated authorization via chain of trust and identity delegation. Allowing using authentication methods, which aren't directly supported by services indirectly.

Read: SimpleLogin documentation, which well describes how to integrate their identity service with your service.

Check out: List of OAuth providers @ Wikipedia and OpenID Connect @ Wikipedia

Unfortunately currently and personally I don't see any use for this specific service, but that's because I happen to have membership with several similar service. As example, I'm using Ubuntu One, GitHub, Stack Exchange. I don't usually like using SSO between different services, because I personally see it as a security risk. As example you'll link everything to your Google Account and then they close it down without any warning. That has happened to many people and it sucks. Therefore, every service should have totally independent login information, with secure and random password / identity token, which makes linking accounts hard.

For temporary email forwarding I'm using the Trashmail service, which is really awesome service. Yet, SimpleLogin is a lot cheaper option, so that make it worthwhile even if you don't actually need the OAuth identity provider service for anything.

I wish for a very bright future of SimpleLogin. If nothing else, it's a great project for the developers to learn from. I personally like concept where learning happens by building something real, instead of just talking theoretical models.

KW: OAuth2, OpenID Connect, RESTful HTTP API, JSON, Authentication, Authorization, Access and Identity Management, Disposable Email, Simple Login, Federation, Federated, Access Token, Federated Authentication, Delegated Authorization, Authentication Server