Problematic security solution in Stockholm's e-servicesSkriven av Matilda Johansson
I recently noted when I was going to book the laundry that Stockholmshem had launched a new site. Nice and fresh as new sites usually are. But I reacted to two things.
One was that an incredible number of pages on stockholmshem.se that Google had indexed had disappeared and that they were not linking to new URLs. Unbelievable that this can happen in 2019.
The second was that I could now log in with BankID. Smooth.
When I clicked on the link to the BankID login, I ended up on the Stockholm city site. A little strange, I thought, but it is still the City of Stockholm that owns Stockholmshem, so maybe even reasonable.
After I had logged into Stockholmshem, I thought to check the Housing Agency's website to see if any new exciting apartment has emerged to dream about. Judge my surprise when I realized I was already logged in!
Then I realized: since the sites use the Stockholm City login system, I automatically login to the City of Stockholm all e-services if I log into one of the sites.
From a security perspective, there are several questions to ask about this. Expect to be logged in one site if you log in to another? How does it even affect security thinking? How do those who discover that they are logged into more than one site react? Do they think their accounts are hacked? Conversely, it can also confuse if you are logged in to several sites and do different things in different web windows. Then when you are finished on one website, you log out from there, because that is how you do it. But if you are logged out of all other sites, you do things on?
A solution to the problem to reduce the confusion and uncertainty among users is to give the user a message when they go to a site other than the one they initially logged into with the text "Do you want to use the login form site x to log in here as well?"
Another solution is to list all the services that you log in to.
A third solution is to define the login in different "zones." If you log in to Stockholmshem, it is where you are logged in, only. If you log in to the Housing Agency, it is where you are logged in, only.