Web authentication is deeply flawed, and it is time to fix it

Position Paper from Patrik Bichsel, Dave Raggett and Rigo Wenning for the W3C Workshop on Identity in the Browser

Background

Today's practices for authentication on the Web are inadequate in a number of regards:

Today's practices for authentication on the Web are inadequate in a number of regards:

• It is hard for most people to remember different identifiers (IDs) and passwords for different sites. As a result, it is common for people to use the same ID/password across many sites.
• In addition to reuse of the same ID, the common practice of using email addresses as IDs facilitates linking personal data across websites.
• Users tend to pick easy to remember passwords, that are relatively easy to crack with dictionary attacks.
• wallets storing user passwords are lost during upgrade of systems and there is no way for recovery
• Asking users to enter their ID/password into Web page forms facilitates phishing, where an attacker invites users to enter their credentials into a site that the user mistakes for the bona fide website.
• The lack of usability for public key certificates, means that users will often overlook problems with certificates, for example, it is common to come across expired certificates, where sites have failed to renew them in a timely way. Phishing sites are able to obtain certificates with relative ease, and few users will check the certificate when the site appears sound (i.e., the browser displays the padlock icon for a secured page). This means that users don't have a reliable and usable means to verify the sites authenticity.
• The practice of sending user ID/password in the clear, as has been highlighted by the firesheep extension, which eavesdrops on unencrypted WiFi traffic to collect user ids/passwords.

It is therefore timely to consider new approaches for authentication on the Web, including the role of anonymous credentials as a way to ensure greater privacy.

Realname Identities are a false re-assurance for trust

Much of the current discussion and even more of the current technologies are centered around the real identity of a given user. In those concepts, a trusted third party is one that is known and trusted. In the imagined use cases, the trusted third party was there to control the user, to deliver it to services. The business model wasn't user centric, it was service centric. All this has more or less failed because users weren't convinced. The third party was rather a point of intrusion than a point of increased confidence. The information given and the digital trails left were monitored for even better targeting. But users don't want to be the target of marketing guns. The third party either has to offer added value, like social networks do, or has to help the user to protect and better find their way online. The intrusiveness possible is probably a direct function of the added value that comes with the trusted third party.

Many in the digital economy think that real names will bring more trust. We are doubtful about that assertion. The belief probably stems from the fact that the identity of a person is needed for legal action. The expectation — it seems — is that persons acting under a real name can be made accountable in the legal system. So the legal systems in most countries seem to require real names in order to start legal action in case of abuse. But this expectation is wrong. Persons committing fraud under real names will — in doubt — also fake a real name. To the contrary, the fact of using real names and real identities (whatever that is) is exposing users to more vulnerability to fraud. In our digital world, everything leaves traces. Those traces can be much better interlinked and abused if one has only one identity. So having everything under real name is forcing an unhealthy centralization that makes systems extremely vulnerable.

So real names don't help against fraud and additionally expose users and systems to higher security risks and potential for abuse.

The legal system would also work with pseudonymous identities as long as there is technology for break the glass traceability in case of abuse. And those windows have to be distributed so that breaking one pane of glass doesn't reveal a person's entire life, but just the part that is of interest to the party seeking accountability. In such a world, a reputation is with a pseudonymous identity as we have it already in certain social networks. The reputation itself is not bound to a real person, but to this online identity. Within such a system, credentials will become more important than the current user / password authentication.

This point has also be raised by Lawrence Lessig in his espousal of traceable anonymity:

A strong ethic and architecture of pseudonymous identity, properly protected, would give us more privacy than we have today.

Of course, it is possible (and probably likely) that such an architecture would not properly protect the link between a transaction and the privacy of a person. Government officials, for example, upon mere suspicion would be able to break the link, etc. That of course is not what I am promoting. I would promote a regime where the gov't required a very strong warrant-like reason before it could break the code that makes the link. But I will note that the baseline from which we're starting is a world where no real showing is necessary for this sort of surveillance.

Leading the way to a better future

We should start by avoiding the need for users to ever have to type their credentials into Web page forms. The website should disclose authentication and account management details to the browser and allow it to deal with them. Users authenticate themselves to the device/browser, then the browser authenticates the user to the website. The Firefox account manager is proof of feasibility. The approach allows for a variety of different authentication techniques. We should strongly discourage the practice of sending passwords to the server, even when using transport layer security (HTTPS). We should encourage mutual autentication, where the user can be assured that she is connecting to the same server as the one she set up her account with.

In many circumstances, it isn't necessary to identify the user, when you just need to verify certain things about the user, i.e. that the user is a member of a given group, or that he is within a given age range, or resides in a given area. Zero knowledge proofs are a perfect solution for this, with the ability to provide cryptographic proofs based upon the possession of strong credentials. At first sight this seems a little weird - providing privacy by requiring strong credentials, but it makes a lot of sense. The website can be assured that the required properties are backed by a trusted credential issuer, despite not learning what the user's real name, location and age are. There is a break-the-glass mechanism to reveal true identity under court order.

Dave Raggett (W3C) and Patrik Bischel (IBM) have developed a proof of concept demo for Firefox based upon the identity mixer library created by IBM Research, Zurich. Further work is now planned on integrating zero knowledge proofs directly within browsers.

Rigo could show the idemix demo at the workshop!

For strong authentication, we can't ignore the first step of authenticating the user to the device/browser. Relying parties will want assurance that it is the intended user who is operating the device. Two factor techniques can help, but human nature being what it is, this shouldn't be something that can be easily lent to a friend, or purloined by an enemy. This is a problem for short PINs and for smart cards. A combination of biometric techniques with a fallback to a long but memorable personal phase provides a solution. An example is being asked to repeat a few random digits whilst looking at the device's video camera. This combines voice authentication with video-based face authentication, and is safe against replay attacks, noisy conditions, stuffy noses and poor lighting.

Summary:

Today authentication on the Web is deeply flawed and it is now time to progressively phase in better solutions, starting with avoiding the need for users to type passwords, and for passwords to be sent over the Web to servers. A two step process is essential, where users authenticate to the browser, and the browser then authenticates to the website, preferably using some form of mutual authentication. Authentication isn't necessarily about who you are, and in many cases it is more a matter of what you are! Zero knowledge proofs can provide websites with the evidence they need in a privacy friendly manner, that is underpinned by strong credentials. Secure pseudonymous identities can be based upon strong identities for traceability when really needed. Imagine it, your privacy guaranteed by a goverment Id! It is time for browser vendors to work together with cryptographers, privacy, security and protocol experts to develop new and effective standards for Web authentication!