Recently, it was reported that over 600 million user passwords were maintained in clear-text within application logs at Facebook. Facebook has since announced that they will notify each user affected and will fix the problem. While the company is not aware of any malicious access to these logs and claims that only Facebook developers have access to the data, there may be no way to tell if the logs with clear-text passwords have ever been hijacked or not. After all, stolen usernames and passwords are not used only against the target website for malicious intent – they are often the keys for the fraudsters to access even more important websites such as bank accounts, e-commerce sites and other services where the same passwords are used by users. A simple search on Google will show studies that claim 52 per cent to 80 per cent of users use the same passwords for all of their online services. For many other users, only a handful of passwords are rotated between different sites as managing and remembering them is difficult.
It is unreasonable to think that a company like Facebook would purposely expose user passwords in Application logs or any other method. However, Facebook, similar to other services that have faced similar mistakes such as Twitter and GitHub, are software companies where large teams of developers write software-programs to enable the services. Invariably, they will have inadvertent bugs or oversights that cause such exposure of user identity information.
The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally identifiable information along with authentication credentials (e.g., a password) are shared with central services, such as Facebook, with the inherent trust that they will do the right thing in protecting our data. Once these services receive this data, the user no longer has control over what happens to that data. Any weakness in the central service’s security can expose the user data and allow it to be compromised. We have seen this story played over and over again with hundreds of millions to billions of user identity information breached and stolen by hackers.
The problem is that our existing username and password paradigm necessarily depends on a central service provider to maintain copies of our identity credentials and require us to trust them in the exchange of that information, usually in-the-raw over SSL, for them to validate and authenticate us. While the SSL connection may be partially secure, the service providers gets clear-text access to the data and passwords. It is then up to them – not us – to control and maintain the security of that data.
Each service provider in-fact owns our identity for their service – we are merely users of that identity. If they own it, it can be stolen from them.
Leaked passwords, then become only the tip of the iceberg. With stolen passwords, fraudsters will be empowered to identify themselves as real-users and go well beyond authentication. They will be able to authorise transactions, access multitudes of services, get access to credit card and other payment information and in many cases, even change second factors.
User-owned identity – the future
In recent times, there has been much discussion on user-owned identities through what is often referred to as distributed-identity. This is where the user ID information and credentials that can prove that unique ID is maintained on the user’s device and not on a central server. The credentials use private/public key mechanisms where the private-key is maintained on the phone only and is never shared - service providers verify the user using only the user’s public-key. Furthermore, the identity of the user can be certified by a service provider to verify the user. The certifications once again are not trusted to a central server, but a Distributed Ledger Technology (DLT) that is also referred to as a blockchain.
This approach eliminates the need for both usernames and passwords. The combination of the private-key and the certifications on the DLT inverse the ownership of the user’s Identity – service providers are no longer the stewards and owners of the ID, they merely validate it. Since they never get a copy of the private-key, they can’t store user’s authentication codes that a hacker may get access to in a breach.
This distributed identity mechanism can go beyond authenticating a user, and in fact allow the user to maintain other attestations and certified data that is kept with them – encrypted on their personal devices – and only shared with their explicit permission and action with parties they choose to. This is in complete contrast to providing permission to a service-provider to share a user’s data with another third-party as a proxy. Distributed identity can remove the need for the trusted middle-man and give control of data sharing, authentication and information claims to the user. This increases both security and user privacy. Distributed identity doesn’t simply provide a protocol for a more secure environment to protect passwords – it eliminates it altogether.
Bridging the future
While distributed identity may sound like the right solution to solve incredibly big problems, it is disruptive as compared to current implementations and hence requires change in order to adopt. While new services can incorporate such solutions easier, existing, large-scale solutions face more difficulties. Not only will the existing infrastructures have to change their existing implementations, they also need to train their users to adopt a new way of managing their identities and motivate them to migrate. This causes an unavoidable obstacle to adoption.
It is therefore important to create bridges between distributed-identity solutions and existing paradigms that rely on usernames and passwords.
By incorporating SAML and OpenID standards that integrate with existing enterprise Single Sign On (SSO) services, companies can adopt distributed identities without writing any code and have their staff use the same portals to access their services, but without usernames and passwords. This opens up the path to much greater usage of the identity used with the SSO to extend to consumer uses and beyond. In this approach, SAML and OpenID are simply a bridge to a more secure interface today and expanded use of identity in the future. This is done while eliminating the need for storage or exchange of passwords altogether.
With the increasing number of compromised passwords and user identities, it is no longer an option to simply build taller walls to secure those identities – a new approach is needed. Distributed Identity has that promise.
Armin Ebrahimi, Founder and CEO, ShoCard