Social media services such as Twitter, Facebook and Google are quickly becoming the defacto identity providers for the Internet. I signed up to Aardvark yesterday and I could use either my Google and/or Facebook account (I used both). My new web and mobile apps are going to support all of these. I mean why not? It is easier for the user (not another password and identity) and easier for the provider (no hassle of maintaining accounts, security authentication problems, password resets etc).
So with these services being increasingly being used to authenticate people on the Internet - it begs the question why do they not support strong authentication?
What is the risk?
Authentication is not the end all and be all of security but, as anyone who started their life in the rough part of town will tell you, there is no point in a fancy alarm system or anything else if you do not lock your front door.
The risk is, at least personally, I now have my credit card details and my business bank details (for AdWords) linked to my Google and Facebook accounts. Also these accounts now would let an attacker access a lot of identity information about me, trash my reputation and my relationships with my friends and colleagues, and as I mentioned at the start give access to a lot of my accounts and profiles on the Internet.
Using just a single factor with username and password caries a number of known weaknesses. The key ones being:
- people choose weak passwords - a good friend recently needed me to log into their Facebook account because she had locked it being overseas and she used her brothers name as the password (but no one knows that she said to me!). It was six characters, a dictionary word all lower case, no numbers or special characters
- people re-use passwords for convenience - the same friend, I was promptly able to use that password on her hotmail account to check that she was still getting email
- people share passwords - point above
- people write passwords down - or store them insecurely in files and spreadsheets because there are so many
- it keeps on giving - once you know a static password you can access the account until the password is changed - or lock the user out by changing the password yourself
- static passwords can be easily intercepted - by hardware and software key loggers and Trojans, there is also social engineering and the leapfrog effect (compromise my Gmail and use info their to take educated guesses at my other passwords or commit identity fraud)
There are few others but I think you get the point
In addition, this has always been the problem with Single Sign-On (SSO) technologies, they are very convenient to use, manage and control but they do provide the keys to the kingdom if they are compromised. So the answer is not to avoid SSO but to secure it well. A single (or limited number) of points of control that are strongly authenticated is far better than multiple different (potentially weak) mechanisms.
In addition there is the password reset risk. Many of my accounts provide a password reset email to my Gmail account. If you get that account you have access to reset my password on a lot of other services. Also I get very nervous everytime I provide my Facebook or Google credentials to a site that is posting some news article etc to my profile - now this should be the Facebook or Google API that is secured with TLS but still I am not entirely comfortable
There is also the mobile endpoint risk now. All these accounts are now cached on my iPhone. I only have a 4 digit password set (yes I know I could set stronger) but it is too inconvenient to type a 8 character complex password with one hand while on an escalator. Besides I always have it with me (and would know what to do if I lost it), it is like carrying my credit card in my wallet with its 4 digit pin. But there is a risk with mobile endpoints - if I leave my phone lying around and someone guesses my password in 10 attempts (or wipes my phone) then they are in. Some people also don't set a password on phone entry or can't if they have an older phone.
It is not like the providers are ignoring this entirely. They provide a number of different options and controls to reduce the risk but they all have their faults:
Google - probably the worst currently. Provides support for SAML on their premium accounts. So A: you need a premium account and B: you usually need to be a corporation with an existing two factor authentication technology (or a geek with a home lab). Update 20/09/2010 - Google announces they will support SMS based 2FA on their premium Google apps accounts and will offer even to non premium (Hell its about time! :)
Facebook - has gone down the adaptive authentication path. It you login from a new device, it will email you. If it a new IP or different location (based on DNSIP geolocation, it still relies on you entering only a username and password at the outset (if you spoof IP to the location you know the user is from) and it is still all "something you know" thus single factor. Update 13/10/2010 - Facebook announces that they will support one time passwords sent to a registered mobile. Excellent :)
Linked in - has started a captcha - presumably to reduce risk of botnet based brute force but doesn't do much else
Twitter - support oAuth, have never tried with a different countries IP, no real strong authentication options I could see
Microsoft - is amazingly leading the pack with live.com ID's supporting OTP's sent to a registered phone number
These sites also have not enforced basic password controls (which would reduce some of the risk at least of guessing and bruteforce):
- minimum 8 character length not enforced (Google you can do this on premium account)
- complexity (alphanumeric, capital, symbol) not enforced
- lockout (e.g. 2 mins after 5 failed logins) or exponential back-off (2 second delay doubling with each failed attempt) or block IP for 5 minutes after 5 failed logins not enforced
- people in the industry would add expiry - but I don't belive this provides any security benefit for the inconvenience and actually reduces security. It does mathematically place a time-limit on a slow running brute force but if you do the above steps you don't need it.
Presumably this is because when these services started they were not holding that important information and they wanted a really easy user experience - but things change. Now the above was not from a detailed study, just every day use and what is available on the front pages of these sites. If you know how to enable 2FA with these services please let me know.
What would be better?
Option for two factor authentication (being either something you have or something you are).
There are a number of options here:
- Good old RSA hard or soft token - get the user to pay the cost - I would happily pay the £15 for my token and carry it on my key ring with my other tokens or on my phone. Amazon EC2 supports this option. There are also now a number of other token choices e.g. EMU but RSA is the Rolls Royce and provides maximum integration compatibility
- Facial recognition - using my camera phone or webcam. Great for mobile authentication as well as website
- Voice recognition - e.g. using Voicevault or similar company can use mobile or speaker on computer. Also great for mobile (obviously)
2FA doesn't need to be for everyone, because everyone has a different risk appetite hopefully based on how much they rely on these accounts and how much information they store there. 2FA also has its flaws but it is definitely a lot stronger front door than just a username and password. It is about time that is these services offered it. With great power comes great responsibility, add your name to the features suggestions now :)