Bring your own identity (BYOID) and the issue of security
Will BYOID add value?
The bring your own identity (BYOID) concept is poised to make life simpler when accessing everyday social media and cloud services. BYOID also wants to make our digital life more secure, which is what I will be exploring.
I am in favour of strong authentication controls, having encountered limitations in using complex passwords with appliances. While strong authentication controls alone will not stem the frequency of data breaches, it is another layer of security for slowing the progress of crackers.
More traction is being made in the BYOID sphere, with improvements from major software companies in storage of personal data, both locally and the cloud. Some projects lend themselves well to BYOID capabilities, which I will introduce here.
FIDO Alliance ("Fast IDentity Online") has the following mission:
- Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
- Operating industry programs to help ensure successful worldwide adoption of the specifications.
- Submitting mature technical specification(s) to recognised standards development organisation(s) for formal standardisation.
This looks like a solid starting point for BYOID adoption: defined specifications for implementation.
FIDO Alliance have two specifications: the complete password less experience (UAF) and unique two factor authentication (Universal 2nd Factor, aka U2F), allowing a user to validate themselves. It is important to note FIDO Alliance do not produce hardware, they just develop the specifications.
Why introduce FIDO?
Allow me to back track a little. I was reading an announcement from Microsoft on their upcoming Windows 10 platform, promising two-factor authentication for all. Great for those who want convenience.
As plans were revealed to tighten operating system security, Windows 10 authentication is becoming more focused on identity validation. With support of the FIDO Aliance U2F specification within the operating system, this may become Microsoft's next "killer app". The mention of FIDO Alliance reminded me of an article from the Google Online Security Blog, where they also support the U2F specification.
The shift towards access validation and restriction has been a gradual process. Google allows restricting access to a list of known devices, for reducing the attack surface area. In my last article on BYOID, I mentioned Microsoft implementing a “one time passcode” for protecting an account. With Windows 10 and Google's services being based on U2F, these will have hardware-based two-factor authentication available.
While FIDO has open specifications for authentication protocols, their development and implementation are critical stages that demand intensive auditing and quality assurance, to reduce the vulnerable attack surface. The level of auditing performed during the development cycle can make a difference. As observed with OpenSSL, Heartbleed's discovery and the POODLE attack on SSL 3.0, security holes will be found and corrected if enough eyes are on a project/specification.
Globally working towards the improvement of authentication security would obviously help in preventing leaks of personal information.
Trust or protection?
Are we are seeing two big vendors agree that simple password authentication is insufficient, and that we all need to better protect our data? I do not think this trend is about keeping pace with today.
This is actually no coincidence. If you look at the FIDO Alliance's membership page, you will notice some big brands are working to create a cross-platform, device independent authentication standard.
All cloud services should require two-step verification in their authentication and when account changes are made. Passwords would cease being the major vulnerability, making crackers work a little harder to obtain access.
Steps and directions
With two large organisations talking about additional layers of security in their products, this should make you think about your own personal security. Why would Microsoft and Google be adding extra controls if security was not a problem?
My takeaway from this market direction is that security matters and we should not be complacent.
How does BYOID fit?
If part of an authorisation process is being completed through use of biometrics or a U2F-compliant device, we have moved towards using validated authentication sources, That is, you are who you say you are, and have the correct credentials.
This changes the position from the big companies being the authentication source, to placing the user in the centre of the authentication/authorisation process. It is his/her U2F device or fingerprint being trusted when accessing a company's services or resources. Given time, even this technology could be potentially be spoofed, copied or compromised.
Having spent time learning about BYOID and becoming familiar with its impact to end users in personal and work environments, I started thinking about weaknesses in U2F and biometric solutions.
The common issues still involve the possibility of malware being crafted to intercept data from a U2F device or fingerprint scanner. Worse still, the possibility of device reprogramming for malware propagation or data removal. Encryption is only as strong as the next security vulnerability or breach of a web service's private key.
Additionally, an article by Greg Andrade (Why USB Authentication Keys and Tokens are a Bad Idea) questions the security of the USB standard as a secure authentication solution. The solution proposed in the article - while written to promote one of their products - is use of public key infrastructure in a way that permits a random four digit code to be entered. While I am not endorsing the product, its concept has merit.
Governance, Risk and Compliance
Governance, Risk and Compliance (GRC) is the biggest hurdle that must be addressed in regards to BYOID. Without some level of visibility to a company's back-of-house processes, how can its users trust their personally identifiable information (PII) is safely held? Or is it a simple case of "build it and they will use"?
Are we headed to a place where users are being validated against who they say they are - like the 100 point identification check - to validate use of a cloud service? Perhaps in future, users may be required to provide the full "100 points" - e.g. passport, drivers licence, new banking product - before submitting a BYOID token/key for authentication/validation.
BYOID is all about transforming a digital ID to become a type of online signature. Legally, we need common global laws that work with respect to PII, as the cloud has shifted our PII to being a global dataset. Interestingly, how PII is treated around the world varies greatly.
More thought needs to go into the methods for validating users in BYOID authentication environments, without inherent platform weaknesses allowing ease of exploitation.
My suggestion to the FIDO Alliance is to take more time in considering the impact of USB-based products in the security marketplace.