Wednesday, March 27, 2024 How NOT to do SSO.

tl;dr make sure your password manager has all the right urls... a Google sheet to aid in keeping your info up to date.

 Disney a while back started to unify all your accounts to one login. The trouble is, they don't appear to use industry standards of the SSO actually using said URL to login. Instead it's the same username and password on several different URLs.... 

One of the reasons this is a concern is password managers. I've been saved from phishing sites before because my password manager didn't recognize the URL of my bank. (yes I should be using a favorite) I searched my bank one day, and the first result was a really well done phishing site, luckily I didn't log in thanks to my password manager not recognizing the login. 

Their site list a bunch of places the account is used, but this once again doesn't function like a proper oauth where it links to said applications. 

So I hopefully found all the right sites. in the spreadsheet, also including them here for search algos.

My Disney Account
ABC News
National Geographic
NatGeo TV
FX Now
Walt Disney World
Disneyland Resort
Tokyo Disney Resort
Disney Vacation Club
Disney Cruise Line
Play Disney Parks
Golden Oak
Club 33
Disney Store
Disney Rewards
Disney Gift Card
ESPN Fantasy
ESPN - Foot Tips
Marvel Unlimited
Star Wars
Disney Movie Insiders
Disney On Ice
Run Disney
Disney Institute
Disney Weddings
ABC7 Los Angeles
ABC7 New York
ABC7 Chicago
6abc Philadelphia
ABC7 Bay Area
ABC13 Houston
ABC11 North Carolina
ABC30 Central California

An example of what my Bitwarden entry now looks like.

No comments:

Post a Comment