We’re pushing the notion that sites should do “Federated Identity”; that those “Sign in with Facebook/Google/Twitter/whoever” badges you see everywhere are A Good Thing. And indeed they are. But it’s exposing a subtle problem.
Background · I spend a lot of time talking to people who are (in the jargon) “RPs”, where the initials stand for “Relying Party” and mean someone who relies on an Identity Provider (“IDP” in the jargon) to take care of login/logout.
It’s increasingly easy to set up Federated Login with an IDP, and as OpenID Connect stabilizes, there’ll be room for a real standards-based RP/IDP ecosystem. OpenID Connect is easy to implement for an RP; I know this because I’ve done it.
So What’s the Problem? · One thing I hear over and over, when I’m talking to RPs, is “How do I force re-authentication?” A bit of background is in order. The way being an RP works is that you do a browser redirect over to the IDP, in effect asking “Is this the person they say they are?” If you do this with Facebook or Google or whoever, and if the person is already logged in via that browser, most times the IDP will just come back and say “Yep, they’re authenticated” without pestering the user.
But some RPs want to make the IDP re-authenticate, that is to say make the person at the browser type in a password and maybe do the 2-factor thing too. Because they’re about to do something really meaningful, involving money or privacy or whatever. For example, I was recently talking to some people from a well-known newspaper that wanted to force re-auth when their journalists accessed the internal publishing system from outside the firewall.
Why Is That a Problem? · Well, one of the key advantages Federated Identity is cutting down the number of times people have to type in passwords. There are a bunch of good reasons for this:
Every time it happens, that’s another chance for password theft.
We don’t want to get people into the habit of typing IDP passwords in here and there; that habit is a great big red target sign saying “Phish me!”
Typing passwords all the time is a painful user experience, particularly on mobile devices.
The easiest way to reduce that pain is to use a short, simple, password, probably the same one you’re using everywhere including on your easily-hacked kid’s-Little-League site.
So yeah, I suppose the RP might be (slightly) increasing the security locally by forcing re-auth in some situation or another. But they’re globally reducing the security of the whole password ecosystem.
What To Do? · Well, an IDP can just say “No, you can’t do that.” But that doesn’t really make me happy either. If you’re providing a service, and someone using it says “I want to do X”, and you find yourself about to say “But you shouldn’t want to do X” for any value of X, you should be nervous.
And then there’s the elephant in the room: Policy and Regulation. Quite possibly it’s not the people running the RP system, it’s the lawyers saying “Let’s be safe and make them re-authenticate.” Because how could it be wrong to be more careful?
And worse, maybe it’s the lawyers saying “The law says we have to force re-authentication.” Because when your lawyer says that, the argument is usually pretty well over.
When I hear about this happening, more than once the law in question has been HIPAA. But it’s not alone. It’s really easy to pass a law forcing people to prove who they are when they undertake certain transactions. Because how could it be wrong to be more careful?