After my last post, a reasonable question is whether we in the industry have been goofing off on the job. After all, how could it be that someone got their account broken into? Everyone knows that passwords are a weak form of authentication. Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards. So why are the rules different for Facebook?
They would say, I’m sure, that they do not hold the keys to your financial data. Only that may not be true. Have you entered credit card details into Facebook? Then in that case maybe they do hold the keys to your financial data. Even if you haven’t entered any financial data into Facebook? Are you using the same password for Facebook that you are for your financial institution? Many people are, and that is the problem.
Passwords have become, for want of a better term, an attractive nuisance. It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket. Yes, the problem is getting worse, not better. My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”. What a lovely enhancement. Right up there with enhancing the keyboard I am typing on to give me electric shocks.
Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal). Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID. (The better part is that no one can simply break into one account and gain access to all of these other sites. The worse part is that if you have some other OpenID, you can’t use it with these sites.)
OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user. This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide. Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).
SAML and Higgins to the rescue? OAUTH? Blech.
Eliot, you may be surprised to hear this, but many banks (at least outside of Switzerland) still use username/password for internal systems. OTPs, smartcards and other forms of stronger authentication tend to be reserved for remote access.
You’re absolutely right that strong(er) auth would be a good thing for the consumer (and SME) spaces. I had great hopes when MS first showed me CardSpace in 2006, but Information Cards still seem to be struggling to get out of the gate (try logging into MS Live services with one to see what I mean).
OpenID doesn’t have to be weak, but right now it’s hard for it to be strong, and it has a perception of being just for blogs. This isn’t helped by every service provider wanting to be an IDP and nobody being too keen on being an RP. The underlying problems of trust and liability are poison at a business level to many federations that should be happening at a technical level.
The one glimmer of hope seems to be coming from Verisign with its VIP service. I’ve recently started using their mobile soft token on my BlackBerry for a few services, and so far it’s been quite good. More at http://blog.thestateofme.com/2009/10/06/freevip/