If you rely on an Identity Provider (“IDP”) to sign into lots of apps, here are two things to worry about: If the IDP gets hacked, do the bad guys get into all your apps? And if you lose your IDP account, are you locked out of all of them?
[This is part of the Federation Conversation series.]
The hacking issue · Facebook and Google and so on are obviously big fat juicy targets for the bad guys. And, let me share a non-secret with you: Facebook and Google do get hacked. So does every other site on the Internet.
The difference is that big IDPs hire teams of full-time experts to watch the dials, look for anomalous patterns, and run perimeter probes 24/7/365. Our defensive techniques are proactive, aggressive, and never asleep. Also, we pay outsiders to hack us, which is a big help.
Specialist IDP teams can also do clever things like support two-factor auth, and watch for trouble. For example, suppose you’ve been logging into Google from the same computer at the same IP address in Toronto for months in a row; you’ll very rarely get a 2-factor or reauthentication challenge. On the other hand, get on a plane to another continent and the next time you log in you’ll probably find yourself having to jump through a few extra hoops.
The real danger spots · And please don’t kid yourself that because a hundred sites out there are doing login independently, you’re a hundred times safer. Because the dangerous hacks aren’t the ones that rip up some individual site; they’re when the bad guys find a hole in widely-used software: NodeJS, Java, PHP, .NET, whatever. Things like the January 2013 Rails/YAML hack make my blood run cold, because there’s a big window of vulnerability between when the word gets out and when all the sites using the broken software get around to fixing it. Worse, when something like this happens, a substantial proportion of the sites suffering from it just won’t notice, and are left effectively wide-open to the bad guys forever.
When places like Facebook and Google notice a hack, a lurid email goes around internally with a title like “Security: HIGH risk [redacted] vulnerability in [redacted]” and certain key people don’t go home from work until the hole is patched and the patch is in production.
There’s this guy here at Google, Eric Sachs, who’s been doing Identity stuff in the white-hot center of the Internet universe for a lot of years. One of his mantras is “If you’re typing a password into something, unless they have 100+ full-time engineers working on security and abuse and fraud, you should be nervous.” I think he’s right.
Other failures · It’s just not hackers you have to worry about. Your IDP could go out of business. You might forget your password and back-up security questions and lose your account. Your IDP might get mad at you and cancel your account.
When that happens, have you lost access to all the apps you’ve been logging into with that? It depends: If the app has a working email address for you, it can always send you a message with a recover-your-account link to click on. If not, well, ouch.
In the early days of the OpenID dream, a lot of us thought that we could base our identity on URLs. It didn’t work out well. These days, everyone (except, interestingly, Twitter), is pretty well converging back to email for sign-in; and this is one of the big reasons.
And serious IDPs like Google and Yahoo and Facebook always want you to store a backup email address and phone number and so on. If you lose your password for one of these operators, you’ll discover we can be remarkably creative in figuring out ways to use that info and get you hooked up again. The other day I was having trouble getting logged into my Microsoft account and it offered to have a bot phone me and recite an access code.
My Take-Away · I think that outsourcing the business of sign-in substantially decreases everyone’s risk of losing access to apps, and makes life harder for the bad guys.
I don’t know of any large-scale studies that have solid numbers to back up my feeling. But I do know that every time I visit a site that wants me to sign in with a username and password, it makes me nervous.
Comment feed for ongoing:
From: Grahame Grieve (Aug 18 2013, at 21:04)
yeah, but you didn't answer the question. Yes, the chances of being hacked are much lower. But still, if they do hack the IDP, then your accounts are all wide open.
As for the recover your password by email - I didn't follow that. You're saying that only if they offer the insecure option, then there's a way back? So we really need to check that the app has the back up option, but not find out whether it works?
From: Jarek Piórkowski (Aug 18 2013, at 22:56)
So what you're saying is that users should use an IDP that is not tied to their primary email account?
From: Michael Zajac (Aug 19 2013, at 07:38)
Getting off a plane on another continent is the precise moment I am most likely not to have access to my second authentication factor, alternate email, and mobile phone. A bit scary.
From: Joseph Scott (Aug 19 2013, at 08:27)
Does Google have 100+ full-time engineers working on security and abuse and fraud?
From: ColinToal (Aug 19 2013, at 08:33)
There is something else to consider.
Identity is closely connected to payment - its no coincidence that there is real financial risk, not just privacy risk. If you want to process payments - you have to have Identity.
From: tom jones (Aug 19 2013, at 08:46)
you really should take a closer look at Mozilla's Persona (as you have been threatening to do for weeks now) before you continue this discussion, as it seems all the questions you are discussing have already been solved by them.
and mostly by the virtue of being decentralized -- the best examples are exactly these you are discussing in this article: there is no "single point of failure". if you are using using gmail, the main feature of Persona is that your IDP, in effect is Google.
so you can get the best of both worlds. if you trust Google's 100+ around-the-clock security engineers, you go with them, and if not, you don't have to.
From: orcmid (Aug 19 2013, at 08:52)
It is interesting that some commenters assume that hacking of the IDP means discovery of credentials so that there is consequently a higher risk of successful impersonation. That is, one can use the discovered credentials and the IDP to gain access to relying parties where I may have accounts authenticated by that IDP.
The trade-off is, of course, between the degree to which the IDP protects credentials from being discovered versus the spotty way identifier + password is handled by so many individual accounts that don't employ something like OAuth and federated identity.
The fact that major IDPs are moving to genuine two-factor authentication seems to be ignored by the commenters. In particular, this is probably the best we will have so long as user-chosen memorable passwords are running amuck in the world.
I have the Microsoft Authenticator app on my phone. It works great. But it is not relied upon to authenticate anything done from my phone. For that, I have to get the second factor from a web site where I am already authenticated.
This whole dance is very interesting. We'll need better threat models and attack surface understandings along with that.
Thanks for the understandable account, Tim.
From: Tim (Aug 19 2013, at 11:00)
Joseph Scott: Yes.
From: Jeff Licquia (Aug 19 2013, at 12:09)
tom jones: Persona is decentralized except for the API site itself, which acts as a single point of failure. I expect Mozilla is one of those IDNs that has its own posse of 100+ engineers, but still.
From: hawkse (Aug 19 2013, at 13:53)
@Michael Zajac: Exactly. Just experienced that last month where I didn't get my verification code to my phone timely while being on vacation. Great fun since I really wanted to get at a mail with some boarding tickets. I ended up using another Google account where I don't have two-factor auth setup.
Guess that's why Google keeps telling me I should print some verification codes out.
I think I'd actually rather just have a password app that generates long, hard passwords and syncs with my phone. KISS.
From: Paul Nijjar (Aug 19 2013, at 17:56)
Naturally, you did not cover the scariest threat you mentioned: "Your IDP might get mad at you and cancel your account." In that case you really are hosed; a working email account (possibly hosted by the same IDP) is not going to help you one whit. Furthermore, the terms of service for most websites say they can cancel your account at any time!
This is not a hypothetical threat, particularly for those whose actions are contraversial and need their account access protected the most.
From: J. King (Aug 19 2013, at 19:30)
"Every time we have dealings with Starfleet, I get nervous."
From: John (Aug 19 2013, at 20:07)
This is not really relevant to this fragment.
Is it possible to define a scope (not sure if this is the right term) that would require the IDP to request the 2nd factor?
e.g. when I log into my bank using G+, it automatically requests my current authenticator code.
But when I log into somerandomforum.com I just need to be logged into G+.
From: IBBoard (Aug 20 2013, at 01:11)
So, the question remains: "If the IDP gets hacked, do the bad guys get into all your apps?"
I'm assuming they do, but no-one has said for certain. Tim has said that Google et al have more protection, and Orcmid said that it is an incorrect assumption that your credentials are *less* secure at an IDP than at individual site, but that doesn't say what the hackers *could* get *when* they hacked a site.