Our Flawed World of Identity and Rights?

In this information age, we need to clearly understand what identity really means, and how we assign rights to that identity. The current Facebook hack thus highlights one thing … that the industry is often taking easy solutions which care little about properly integrating trust … and at the core of this are often flawed implementations of OAuth 2.

The industry has been swept along by OAuth 2 through its adoption by Google and Facebook. Other improved methods which aimed to provide fewer opportunities for spying on accesses, such as with Microsoft CardSpace, have generally failed in their adoption. For Google, Facebook, and Twitter, to be the ID provider of choice allow these companies to extend their reach, and be the core of identity on the Internet. Basically, these companies “own your identity”.

Industry experts have, for many years, been highlighting the major problems of OAuth 2 and its over-simplistic usage of long-term tokens. But still there is little thought about a sustainable long-term solution … and where we are stuck in a pre-GDPR model of the world with no way of fixing it.

Put simply, a single flaw in the implementation of OAuth 2 could open up down billions of applications on the Internet. It was, for example, recently identified that over 40% of applications which used OAuth 2 were vulnerable to attack.

In some cases, it is a lazy solution to the true identity problem, and where OAuth 2 is used to issue a token which then grants access rights to a range of services. In many cases, the provision of a user name and a password can gain you long-term rights to access a wide range of services. Unfortunately, if you gain someone else’s token, you have all their rights, without even requiring their password.

Basically, you open the front door with your key, and get a note to get back in. If someone sees your note, they can get in too, without your keys.

Only with smart contracts, true identity signing and in the usage of cryptography keys, can we provide an improved identity world. For just now we are just creating methods which make life easy for developers and administrators, and not really thinking about the true identity of a person. This easy fix could all come crashing down, and we need to find ways to improve the provision of rights and identity, and for improved trust levels.

Federated ID and OAuth2

Facebook, as with many other major Cloud Service Provider, including Google, use the OAuth2 authentication protocol for providing an ID token to a user. The token, itself, does not contain the password, but just the fact that the user has identified themselves, and has rights on the system for a given amount of time. This token can also be trusted on other sides — with a federated identity. Thus if you use Facebook to log into Spotify then Facebook proves your identity and then passes an OAuth2 token back to you, to give to Spotify. The scope of the breach could thus involve other external services which use Facebook as an identity provider.

Within OAuth 2, a user requests a service, and then is told the identity providers that the service trusts. The user then selects onto and proves their identity to the identity provider, and is given a token back which is passed to the service. This token can then be used to log the user into the system:

The problems

While OAuth 2 solves many problems in logging into systems and in traversing across trusted systems, many security experts criticize its usage, as the tokens can be captured, and where long periods of access can be granted on a single provision of a user identity. The basic process into the user accessing a web service, and is then redirect the identity provider, who will request the identity details of the user. On a successful entry of these details, the identity provider will send back an access token to the service provider:

A recent article on Medium defined that OAuth 2 was the gatekeeper of the growing API industry, but also its Achilles Heel:

Its simplicity in its operation allows developers to quickly authenticate the user, and then allow them to gain the required rights. But it has major flaws. The major hack of Facebook ID tokens shows that a large scale breach could open-up many services on the Internet to abuse.

Along with this, the identity provider can spy on the user, but looking at the services that are being asked for, so that Facebook could tell every time you logged into Spotify. While we all like single sign-on our corporate systems, it does cause major problems when the back-end infrastructure is breached.

In 2016, researchers from the University of Hong Kong outlined a paper on “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0.” Within this, they identified an an attack on poor OAuth 2.0 implementations and which put over one billions applications at risk:

Conclusions

I repeat again … only with smart contracts, true identity signing and in the usage of cryptography keys, can we provide an improved identity world. We need a world which is more focused on users, and less on what developers and administrators find easy to set up. OAuth 2 should only be seen as a short-term solution to a trust infrastructure, the long-term solution is to put identity and rights back into the hands of those that matter … the citizen. We are still stuck in the 20th Century, and have to look at creating systems which are truly integrated, and which respect the rights of the citizen to privacy and consent.