Identity is the only security boundary that has ever mattered in computer security defense. Physical boundaries, firewall boundaries, security domains, forests, realms and virtual networks… none of those matter if a single logon credential that can access multiple domains is compromised.
Today’s identity solutions are able to access sometimes hundreds of thousands of different security domains using a single credential, but surprisingly can do so while decreasing overall risk. How is this possible?
Identity in the early days
In the early days of computers and networking, most people used a single logon name and password to access everything. This proved to be a very bad strategy, as the compromise of one computer could lead to a compromise of every other computer sharing the same logon credentials. Everyone was told to create a different password for every different system they accessed.
With most people now accessing dozens to hundreds of different password-protected resources, using different passwords for each resource required either writing them all down (a big no-no), using a password manager (which stored all the passwords and maybe also auto-logged people in as they visited all the different sites), or some sort of single sign-on (SSO) solution.
SSO solutions became fairly popular in the enterprise and password managers became fairly prevalent in the home user space. But both types of solutions have never worked across all security domains and platforms with a decent amount of consistency. A few broadly applying SSO solutions were created, tried and abandoned, such as Microsoft’s original Passport and the decentralized OpenID standard. None of the mid-term SSO solutions really took off despite all their promises of global use and acceptance.
It took social media killer apps, like Facebook and Twitter, to run roughshod over the rest of the identity also-rans for new winners to emerge. Their huge user populations assured that whatever solution and protocols they used were going to end up being global and pervasive. New global identity standards and solutions popped up overnight — or so it seemed to identity observers. The new solutions were not always globally trusted and agreed upon. It hurt the feelings of many smart, dedicated people who had been working on other, potentially better solutions, for far longer. It didn’t matter. Assimilate or fall behind.
After the initial pain of being pushed around by a few 800 lb. gorillas subsided, the forced new standards ended up being a good thing. The end result is that we have fewer, but more popularly accepted SSO authentication standards to choose among. And they can be used across both enterprise and consumer platforms.
When discussing today’s identity solutions you’ll hear the following protocols and solutions bandied about: Facebook’s Graph API, oAuth, OpenIDConnect, xAuth, SAML, RESTful, and FIDO Alliance. After decades of trying, the world of pervasive identities is finally coming within reach. On many web sites, you can use your Facebook, Twitter, or favorite oAuth- or xAuth-enabled SSO logon to authenticate. There are still interoperability problems, but those barriers are coming down fast.
Today, you can use your password, phone, digital certificates, biometric identity, two-factor authentication (2FA), or multi-factor authentication (MFA) SSO solution to logon to a myriad of sites. Each identity can have different “attributes” or “claims” associated with it, be associated with one or more trusted devices, have different assurance levels, and be used on different sites of your choosing.
Of course, right now, we don’t have universally accepted SSO that works at all sites, but we’re getting closer. And now that we are closer, I’m almost certain we don’t really want it.
There is a distinct need for most of us to have multiple identities tied to different things. For example, most of us have work and personal accounts. My work wants the ability to retain all my work-related content at all times and even has the ability to immediately erase all work content if they terminate my employment. At the same time, I don’t want my work admins having access to my personal content browsing history on my home computer. I don’t want my personal documents somehow ending up on my work computer and vice-versa, which does sometimes happen today with our more pervasive global identities. I remember how surprised I was when my wife plugged her iPod into my work computer to charge and suddenly her iTunes had copies of my work documents.
Perfect single identity
In my perfect world, it would be great if I had a single, global identity that had different “personas”, such as “Work Roger” and “Home Roger”, that I could apply in different use case scenarios and that would be sure to keep the different content and resources separate. It will probably work that way in the future, but we are not quite there yet.
Doesn’t a single sign-on open up more risk?
You may be wondering if having a single, unifying identity (or even just fewer, but more pervasive identities), means that a single identity compromise will lead to a worse set of consequences due to the single failure. After all, isn’t using a single identity sign-on a lot like using a single password for all your web sites? Have we gone full circle just to end up with the same problems?
Yes and no, and mostly no if you do the right thing.
If the global identity mechanism you are using gets compromised at its source (i.e., the identity provider), there is a greater risk that the compromised identity can be used at more places. For example, if a bad guy compromises your Facebook account logon name and password, it is more likely that he might be able to access everywhere you logon using your Facebook account credentials.
But that’s why Facebook, and most other popular social sites and authentication providers are pushing stronger 2FA and MFA solutions, and you should use them. That way even if the hacker gets your password, he doesn't get (at least not immediately, if ever) the second factor or physical device required as part of your authentication.
Additionally, most of the global identity solutions don’t use a single authentication token on the participating sites. Instead, your “global token” is used to create separate site- and session-specific authentication tokens that are never used at other sites. This means if an attacker breaks into a particular site that relies on your global authentication token, it can’t be used elsewhere. It’s win-win. Much better than a shared password.
I do worry about the casual use of biometrics and how they may one day be stored in everyone’s global identity account. Biometrics are never as great as they are purported to be. They aren’t as accurate as claimed, often easy to fake, and often don’t work (just have a little sweat or dirt on your fingerprint and try using your fingerprint reader).
But suppose you are a big biometric fingerprint fan and you want to be able to use them to access any website, so you pick a global authentication provider that accepts your fingerprints. It sounds like a great idea. But once we start storing fingerprints in global identities, attackers who compromise the identity provider will have your fingerprints…forever. They could possibly “be you” on all the other web sites that accept your fingerprints.
So far two things have saved us from biometric identity theft being a widespread problem (beyond the fact that biometrics just aren’t accepted in many places beyond phones and laptops). First, most biometrics are stored and used locally. This means the hacker has to access and compromise your device to get access to your biometric identity, and even if he gets access, the biometrics would not work beyond that single compromised device.
A second, and related issue, is that once you logon using your biometric identity, what happens authentication-wise from then on is that the authentication system uses one of the other previous discussed authentication methods. It is using some other authentication token besides your fingerprint. Your biometric identity (usually) doesn’t leave your local device. That would change if people started to overly rely on biometric authentication globally.
Never have we been closer than we are now to getting pervasive, global identities. My advice: enable and require the use of 2FA/MFA options with your global identities. That way you get all of the benefit with less of the risk.