2023-02-15 06:46:33
2023-02-15 02:09:21
2023-02-15 02:09:21
1177971
I feel I've missed a lot of developments in OpenID and authentication/authorisation over the last decade or so. Here is a story representing the state of my knowledge. I would like to be corrected, preferably with a link to a long-form article.
In the beginning, websites identified users with a username and password. We quickly learned that passwords don't work. Users use the same password on all sites, the least-protected site gets hacked, and now hackers have access to all the accounts no matter how well-protected.
In the 2000s, OpenID was created as a solution to this problem. The idea is that authentication/authorisation would be separated out into a component that could be outsourced via a shared standardised API. Each user could choose one identity provider, and have just one password used to access all their sites. It simultaneously provides the benefits of centralisation, with specialist identity providers having much improved security, while also providing user choice, allowing users to switch to a more secure provider at will.
OpenID was noisily supported by certain big players, at first Microsoft, later Facebook and Google. But it was a trap! Big websites tended to act as identity providers more than as relying parties. That is, everyone wants to be the one true website that stores your password, no-one wants to be the website outsourcing authentication to someone else. Smaller websites that can be bought, bribed, or bullied now have one or two buttons labelled "log in with...", but you are not free to log in with your provider of choice. People like me who choose not to have accounts with Google or Facebook are locked out of this system completely.
An alternative solution to the password problem was multi-factor authentication. Instead of simply logging in with a password, now you need to receive a code sent to your phone. At first this was also a trap. The only mechanism permitted was a phone number. Since people normally only have one phone number, this acts as a unique identifier. Big websites can consolidate the dossiers they hold about you, and predators like Palantir can create even more detailed dossiers by correlating data from multiple sources.
These days this has marginally improved, with various authenticator apps also being adopted, supplemented by "suspicious activity" detection. The result is a mess. Every website has a different security stance exposed via a different UI, and they are constantly churning. If you lose a phone or you change phone number or you accidentially delete the wrong app or your email is hacked or any of another thousand scenarios, you are plunged into a Kafkaesque account recovery procedure. Today, most people are locked out of most of their accounts most of the time, while hackers are buying superyachts.
To me, it still seems like OpenID is a valid solution. It just needs to be implemented as originally intended. The mega-corp / startup-acquisition system as an institution is too corrupt to be trusted, so identity providers must be independent and un-buyable. Relying parties must be required to accept any identity provider, not just a preferred few. That setup probably can only work if identity providers are like banks: independent and commercial, but subject to strict government regulation.
Regardless of whether OpenID is a good approach, the key ingredient is government regulation. From the 1980s to the 2010s, the dominant free-market ideology made that impossible. Furthermore, because of network effects, no government can regulate the sector unless it controls a high proportion of the market: so that means the USA, EU, and China. The American government is too dysfunctional to do anything. China's reputation on security services is mud. That leaves the EU, which until now has been too technophobic to even begin such a conversation.
With the DMA, there are signs that the EU might be gradually sticking its oar in. The problem of everyone constantly being locked out of their accounts is visible to everyone. Surely most MEPs are already routinely texting their nephews to help them get back in to Netflix. Perhaps the time is right to finally do what we should have done all along?
#security #openid #dma
In the beginning, websites identified users with a username and password. We quickly learned that passwords don't work. Users use the same password on all sites, the least-protected site gets hacked, and now hackers have access to all the accounts no matter how well-protected.
In the 2000s, OpenID was created as a solution to this problem. The idea is that authentication/authorisation would be separated out into a component that could be outsourced via a shared standardised API. Each user could choose one identity provider, and have just one password used to access all their sites. It simultaneously provides the benefits of centralisation, with specialist identity providers having much improved security, while also providing user choice, allowing users to switch to a more secure provider at will.
OpenID was noisily supported by certain big players, at first Microsoft, later Facebook and Google. But it was a trap! Big websites tended to act as identity providers more than as relying parties. That is, everyone wants to be the one true website that stores your password, no-one wants to be the website outsourcing authentication to someone else. Smaller websites that can be bought, bribed, or bullied now have one or two buttons labelled "log in with...", but you are not free to log in with your provider of choice. People like me who choose not to have accounts with Google or Facebook are locked out of this system completely.
An alternative solution to the password problem was multi-factor authentication. Instead of simply logging in with a password, now you need to receive a code sent to your phone. At first this was also a trap. The only mechanism permitted was a phone number. Since people normally only have one phone number, this acts as a unique identifier. Big websites can consolidate the dossiers they hold about you, and predators like Palantir can create even more detailed dossiers by correlating data from multiple sources.
These days this has marginally improved, with various authenticator apps also being adopted, supplemented by "suspicious activity" detection. The result is a mess. Every website has a different security stance exposed via a different UI, and they are constantly churning. If you lose a phone or you change phone number or you accidentially delete the wrong app or your email is hacked or any of another thousand scenarios, you are plunged into a Kafkaesque account recovery procedure. Today, most people are locked out of most of their accounts most of the time, while hackers are buying superyachts.
To me, it still seems like OpenID is a valid solution. It just needs to be implemented as originally intended. The mega-corp / startup-acquisition system as an institution is too corrupt to be trusted, so identity providers must be independent and un-buyable. Relying parties must be required to accept any identity provider, not just a preferred few. That setup probably can only work if identity providers are like banks: independent and commercial, but subject to strict government regulation.
Regardless of whether OpenID is a good approach, the key ingredient is government regulation. From the 1980s to the 2010s, the dominant free-market ideology made that impossible. Furthermore, because of network effects, no government can regulate the sector unless it controls a high proportion of the market: so that means the USA, EU, and China. The American government is too dysfunctional to do anything. China's reputation on security services is mud. That leaves the EU, which until now has been too technophobic to even begin such a conversation.
With the DMA, there are signs that the EU might be gradually sticking its oar in. The problem of everyone constantly being locked out of their accounts is visible to everyone. Surely most MEPs are already routinely texting their nephews to help them get back in to Netflix. Perhaps the time is right to finally do what we should have done all along?
#security #openid #dma