If you rely on an Identity Provider (“IDP”) to sign into lots of apps, here are two things to worry about: If the IDP gets hacked, do the bad guys get into all your apps? And if you lose your IDP account, are you locked out of all of them?
[This is part of the Federation Conversation series.]
The hacking issue · Facebook and Google and so on are obviously big fat juicy targets for the bad guys. And, let me share a non-secret with you: Facebook and Google do get hacked. So does every other site on the Internet.
The difference is that big IDPs hire teams of full-time experts to watch the dials, look for anomalous patterns, and run perimeter probes 24/7/365. Our defensive techniques are proactive, aggressive, and never asleep. Also, we pay outsiders to hack us, which is a big help.
Specialist IDP teams can also do clever things like support two-factor auth, and watch for trouble. For example, suppose you’ve been logging into Google from the same computer at the same IP address in Toronto for months in a row; you’ll very rarely get a 2-factor or reauthentication challenge. On the other hand, get on a plane to another continent and the next time you log in you’ll probably find yourself having to jump through a few extra hoops.
The real danger spots · And please don’t kid yourself that because a hundred sites out there are doing login independently, you’re a hundred times safer. Because the dangerous hacks aren’t the ones that rip up some individual site; they’re when the bad guys find a hole in widely-used software: NodeJS, Java, PHP, .NET, whatever. Things like the January 2013 Rails/YAML hack make my blood run cold, because there’s a big window of vulnerability between when the word gets out and when all the sites using the broken software get around to fixing it. Worse, when something like this happens, a substantial proportion of the sites suffering from it just won’t notice, and are left effectively wide-open to the bad guys forever.
When places like Facebook and Google notice a hack, a lurid email goes around internally with a title like “Security: HIGH risk [redacted] vulnerability in [redacted]” and certain key people don’t go home from work until the hole is patched and the patch is in production.
There’s this guy here at Google, Eric Sachs, who’s been doing Identity stuff in the white-hot center of the Internet universe for a lot of years. One of his mantras is “If you’re typing a password into something, unless they have 100+ full-time engineers working on security and abuse and fraud, you should be nervous.” I think he’s right.
Other failures · It’s just not hackers you have to worry about. Your IDP could go out of business. You might forget your password and back-up security questions and lose your account. Your IDP might get mad at you and cancel your account.
When that happens, have you lost access to all the apps you’ve been logging into with that? It depends: If the app has a working email address for you, it can always send you a message with a recover-your-account link to click on. If not, well, ouch.
In the early days of the OpenID dream, a lot of us thought that we could base our identity on URLs. It didn’t work out well. These days, everyone (except, interestingly, Twitter), is pretty well converging back to email for sign-in; and this is one of the big reasons.
And serious IDPs like Google and Yahoo and Facebook always want you to store a backup email address and phone number and so on. If you lose your password for one of these operators, you’ll discover we can be remarkably creative in figuring out ways to use that info and get you hooked up again. The other day I was having trouble getting logged into my Microsoft account and it offered to have a bot phone me and recite an access code.
My Take-Away · I think that outsourcing the business of sign-in substantially decreases everyone’s risk of losing access to apps, and makes life harder for the bad guys.
I don’t know of any large-scale studies that have solid numbers to back up my feeling. But I do know that every time I visit a site that wants me to sign in with a username and password, it makes me nervous.