By Neil Cook, Chief Security Architect Open-Xchange – Read Part 2 of Neil’s Despatches here
It’s the final day of the RSA conference in San Francisco, and although things are starting to wind down, there are still some great sessions, and good attendance.
One of the sessions I attended this morning was part of the ‘Identity’ conference track, which is a fascinating and increasingly important topic. Online identity, or “Who you are” covers a lot of the areas I spoke about in my earlier blog about authentication, but also much wider topics such a federated identity, authorization, privilege escalation/trust elevation, and the whole process of making online services easier to use but still secure.
Today’s talk was provocatively entitled “DON’T Use Two-Factor Authentication…Unless You Need It!”, and covered some of these issues, particularly the OpenID Connect standard, and User Managed Access (UMA) profile, both based on OAUTH2. OpenID Connect is used to verify end-users based on the authentication performed by a (possibly third-party) authorization server, as well as providing basic profile information about users. UMA is more about authorization, specifically controlling access to specific resources using policies. Authentication and Authorization are often conflated as topics, so it’s important to distinguish between the two; for example after using OpenID Connect to verify an identity, the end-user might want to access a specific resource, and using UMA the application determines that the user needs to re-authenticate with a higher level of security, thus triggering a new call to the OpenID Connect API. This whole topic ties in very nicely with my earlier blog on two-factor authentication, and OAUTH2-based standards such as OpenID Connect and UMA look like a potential framework for implementation.
Again on the identity topic, yesterday saw a good presentation from Google and Ping Identity, covering their work in enhancing the usability and security of their identity management framework. One aspect was their use of open standards such U2F and OpenID, which we have already discussed, but another aspect was how relatively simple changes to their sign-in process enabled a much better user experience and led to higher sign-in/sign-up rates. The most fundamental change was moving to a identity-first login process, where the only information asked on the Google login page is the user’s identity. Once the identity is known, this enables a much richer set of decisions to be taken about what to do next, e.g. if the user is using a federated identity service, use that and provide the username to that service. Another simple step was removing the “sign-up” button, and making sign-up part of the identity-first process, so if the user types their identity, and that identity is not known, the user is asked if they want to sign-up.
The identity tracks this week have helped me realize that the process of identity management is critical to security, not only because of standards like two-factor authentication, but because they can actually help make the process both easier to use while at the same time improving security, and that is a very rare combination.