Bring your own identity (BYOID) and the issue of trust
Bring your own identity
A new term has entered the buzzword lexicon: BYOID (Bring Your Own Identity). In other words, authentication by a third party.
The core of this concept is authenticating yourself on a site or service using credentials from another, possibly larger service. Think of it as single sign-on with a global presence. BYOID is essentially the new branding of existing technologies already used within enterprises.
What is the hype about? With BYOID implemented, you will not require another set of credentials for a site or service you wish to use. BYOID could be used in two ways:
- Adding two-factor authentication to validate a user's credentials.
- To simply authenticate.
Validation and authentication
Companies offering authentication services include Google, Microsoft, LinkedIn, Amazon, Yahoo! and Facebook. Microsoft use methods to ensure Microsoft account credentials and contents remain secure: adding contact details such as a mobile phone number or second email address sends a "one time code" for verifying account changes.
The benefit of BYOID is to users, who now remember fewer passwords and still access subscribed services. For the sites I use, these would be a reduced to a set taking advantage of BYOID: news sites, blogs or anything that not requiring payment.
When BYOID is used as part of two-factor authentication, it becomes an option with greater value, as security is improved by virtue of being authenticated from two sources. Two-factor authentication design would require risk analysis as part of its design.
Using BYOID to enable two-factor authentication would require different sources and styles of authentication methods. The typical implementation is by using something you have and something you know.
Need and concern
BYOID first came to my attention during the revelation of the largest password database in the world being held by crime syndicates, derived from previous breaches in security. Criminals possessing these credentials is obviously bad news. With data matching obtained from other poorly secured sources, they could have enough information to do, well anything!
As companies such as Google, Microsoft and Facebook are set to become the major market holders of BYOID authentication, along with the criminals' password database, it makes me ask: how do we know BYOID providers are protecting personal data?
The issue of trust
I attended a presentation detailing a major international telecommunications hardware manufacturer's audit trail - of parts coming into the factory and to their final delivery - which ensures the delivered product is not altered or breached. Hardware code is audited several times during development to ensure it is free of errors and backdoors are not present. The company offers to show existing or prospective customers any stage of the manufacturing process and its associated audit trail.
This made me think about security of information supplied to a BYOID provider. How do we know if BYOID is being implemented in a safe and secure manner at the site we authenticate against? Taking this further, what does the public have to visibly guide them on trusted web platforms (to deliver our personal email/groceries/flights/etc) that supplied information will be kept safe?
How should users and CSOs learn to trust the validity of authentication data from a BYOID solution provider?
Held to a higher standard
What standards are enforceable across the Internet to ensure credentials are held safe?
As it stands, we don't have a way to confirm if an organisation stores personal information and authentication data securely. Nor any requirements to validate/report the success of security audits.
While the Information Technology sector can use standards such as ISO 27001 and work towards certification, what does this mean to a user not in the IT sector? Processing credit card transactions requires PCI-DSS compliance, but what should the IT industry provide as evidence that a BYOID implementation is secure?
Confidence is key
We hear about breaches of personally identifiable information, credit card details and holes in TLS/SSL protocols, but users need a confidence indicator to help guide them in the security of a site they want to BYOID authenticate against. As BYOID begins to take off, using credentials from Google or Microsoft on a site with a weak or poor BYOID implementation, could result in the site leaking personal information.
The world needs to constrain the number of passwords needed to exist in the digital world. I would love to reduce this down to a handful, provided the authentication strength was also improved.
In a world of high encryption, strong security and yet continual password compromises, how can an enterprise trust a web authentication platform with so many unanswered questions? This will require auditing and transparency to ensure governance and risk are adhered to.