Wednesday, February 14, 2007

what's wrong with identity management

this is something that's been nagging at me for a while and i think the cross site request forgery vulnerability in gmail from late last year/earlier this year underlines the problem... a single account for everything gives too much power to whoever or whatever compromises that account (whether by gathering the credentials or hijacking the session)... this isn't just a problem with google account, though, there was microsoft's passport, and of course the much talked about (these days) openid...

let's start with the reason for identity management, the motivating factor that lead to it's creation... there's some problem condition out there that pushed people to come up with the idea, supposedly as a solution (though perhaps not a good one)... that problem condition is that with so many sites out there requiring users to log on it's difficult if not impossible for users to remember all the username/password pairs for each of those sites... users, being cunning when it comes to finding lazy solutions, came up with the adaptation of using the same username and password for most/all of the sites they log into... the security problems with this are two-fold: first it creates a situation where instead of having different secrets (passwords) protecting different assets you have one login to rule them all, and second that single set of credentials is placed in many different databases (a different one for each site) which raises the probability that those credentials will get exposed by someone cracking into one of those databases...

identity management generally aims to move user authentication out of the hands of every tom, dick, and harry site out there and into the hands of a trusted few sites which then vouch for the user's authenticity to any other site that asks... this has the immediate benefit of storing user credentials at and conducting the authentication transaction through fewer sites (generally just one) so that the risk of exposure due to database cracking is reduced... unfortunately it still leads to a one login rules them all situation, and frankly database cracking is not the low-hanging fruit in identity theft - if you can do it you can certainly get a lot of credentials in one go, but it's far easier to compromise a user's credentials through the user him/herself by way of phishing or key loggers or a password stealer...

the problem that identity management solves is the same one that users solved by using the same username and password everywhere - it solves the convenience problem associated with many sites requiring authentication... it solves it a little bit better in that one particular type of attack surface (the remote databases) is reduced, but since it collapses multiple accounts down into one it leaves open (and actually promotes) the problem where the compromise of a single set of credentials exposes all your information and assets - and isn't that what the real problem with using the same username and password everywhere is?

the only real way to mitigate the risk of such catastrophic exposure is to use multiple accounts with different credentials - which may be possible with identity management but is definitely not the usage pattern it was designed for... the whole problem arises because using multiple accounts with different credentials isn't easy - everyone seems to want to solve that difficulty by simply not doing it, by finding a way around it, but there isn't one... client-side password managers actually do a pretty good job of solving that difficulty without simply avoiding it, but depending on the implementation those can have problems of their own...

0 comments: