Web authentication is deeply flawed, and it is time to fix it
Web authentication is deeply flawed, and it is time to fix itToday's practices for authentication on the Web are inadequate in a number of regards:
It is therefore timely to consider new approaches for authentication on the Web, including the role of anonymous credentials as a way to ensure greater privacy.
Years ago companies started to realise that identification in the Web is becoming a significant problem. The solutions at the time were built around a trusted party. In this context a trusted third party is one that is known and trusted by a user. In the imagined use cases, the trusted third party was there to authenticate the user, to perform access control, and to forward it to services. The business model wasn't user centric, it was service centric. One main reason for the failure of this approach is that users weren't convinced of the benefits. The third party was rather a point of intrusion than a point of increased confidence. The information given and the digital trails left were monitored for even better targeting. But users don't want to be the target of marketing guns. The third party either has to offer added value, like social networks do, or has to help the user to protect and better find their way online. The intrusiveness possible is probably a direct function of the added value that comes with the "trusted" third party.
Much of the current discussion and even more of the current technologies are centered around the real identity of a given user. Many players in the digital economy think that real names will increase trustworthiness. We are doubtful about that assertion. The belief probably stems from the fact that the identity of a person is needed for legal action. The expectation — it seems — is that persons acting under a real name can be made accountable in the legal system. The legal systems in most countries require real names in order to start legal action in case of abuse. We strongly belive that this expectation is wrong. Persons committing fraud under real names will — in doubt — also use a fake name. To the contrary, the fact of using real names and real identities (whatever that is) is exposing users to increased vulnerability to fraud. In our digital world, everything leaves traces. Those traces can be much better interlinked and abused if a person uses only one identifier, that is, the real name. Honest users releasing their real name at each occasion is forcing an unhealthy centralization that makes systems extremely vulnerable.
Consequently, real names don't help against fraud and additionally expose users and systems to higher security risks and potential for abuse.
Apart from the fact that requiring the release of the real name does not help making actions on the Web accountable we claim that the legal system would also work with pseudonymous identities. A pre-requisite is that the technology used when releasing the pseudonym allows for break-the-glass traceability in case of abuse. Those windows have to be distributed so that breaking one pane of glass doesn't reveal a person's entire life, but just the part that is of interest to the party seeking accountability. In such a world, a reputation is with a pseudonymous identity as we have it already in certain social networks. The reputation itself is not bound to a real person, but to this online identity. Within such a system, credentials will replace the current user / password authentication.
This point has also be raised by Lawrence Lessig in his espousal of traceable anonymity:
A strong ethic and architecture of pseudonymous identity, properly protected, would give us more privacy than we have today.
Of course, it is possible (and probably likely) that such an architecture would not properly protect the link between a transaction and the privacy of a person. Government officials, for example, upon mere suspicion would be able to break the link, etc. That of course is not what I am promoting. I would promote a regime where the gov't required a very strong warrant-like reason before it could break the code that makes the link. But I will note that the baseline from which we're starting is a world where no real showing is necessary for this sort of surveillance.
We should start by avoiding the need for users to ever have to type their attributes into Web page forms. Each website should disclose authentication and account management details to the browser and allow it to deal with them. Users would authenticate themselves to the device/browser, then the browser authenticates the user to the website. The Firefox account manager is proof of feasibility. The approach allows for a variety of different authentication techniques. We should strongly discourage the practice of sending passwords to the server, even when using transport layer security (HTTPS). We should encourage mutual authentication, where the user can be assured that she is connecting to the same server as the one she set up her account with.
In many circumstances, it isn't necessary to identify the user, when you just need to verify certain things about the user, i.e. that the user is a member of a given group, or that he is within a given age range, or resides in a given area. Anonymous credential systems are a perfect solution to achieve such minimal data disclosure. Using zero-knowledge proofs they allow a user to create proofs about properties of certified attributes. At first sight it seems weird - providing privacy by requiring credentials containing certified attributes. On second thought it makes a lot of sense. The strong certification by an entity trusted by the website operator allows the website to trust in a proof released by a user and the user only having to release a proof rather than an attribute (e.g., her real name) constitutes a gain in privacy. Clever use of mechanisms such as verifiable encryption realise the break-the-glass mechanism to reveal true identity under court order.
Dave Raggett (W3C) and Patrik Bischel (IBM) have developed a proof of concept demo for Firefox based upon the identity mixer library created by IBM Research, Zurich. Further work is now planned on integrating zero knowledge proofs directly within browsers.
Rigo could show the idemix demo at the workshop!
For strong authentication, we can't ignore the first step of authenticating the user to the device/browser. Relying parties will want assurance that it is the intended user who is operating the device. Two factor techniques can help, but human nature being what it is, this shouldn't be something that can be easily lent to a friend, or purloined by an enemy. This is a problem for short PINs and for smart cards. A combination of biometric techniques with a fallback to a long but memorable personal phase provides a solution. An example is being asked to repeat a few random digits whilst looking at the device's video camera. This combines voice authentication with video-based face authentication, and is safe against replay attacks, noisy conditions, stuffy noses and poor lighting.
Today authentication on the Web is deeply flawed and it is now time to progressively phase in better solutions, starting with avoiding the need for users to type passwords, and for passwords to be sent over the Web to servers. A two step process is essential, where users authenticate to the browser, and the browser then authenticates to the website, preferably using some form of mutual authentication. Authentication isn't necessarily about who you are, and in many cases it is more a matter of what you are! Zero knowledge proofs can provide websites with the evidence they need in a privacy-friendly manner, that is underpinned by strong credentials. Secure pseudonymous identities can be based upon certified identities for traceability when really needed. Imagine it, your privacy guaranteed by a goverment Id! It is time for browser vendors to work together with cryptographers, privacy, security and protocol experts to develop new and effective standards for Web authentication!