To access an online account you need to sign in. Traditionally, this requires you to enter a username and password. Typically, these are different for each service you have access to. In a business context, it makes sense to centralise the management of both user accounts and the services they are authorised to access. This has given rise to a form of federated identity management, where users sign in to one single central identity provider. This identity provider usually also manages the user authorisation and seamlessly logs the user in to the desired service. The advantages are obvious: the user only needs to remember a single username and password, and the business manages service authorisations in a single place.

Unfortunately, this federated model of identity management is used more in more in a consumer setting as well. Examples are services like Facebook Connect which: “makes it easier for you to take your online identity with you all over the Web, share what you do online with your friends and stay updated on what they’re doing. You won’t have to create separate accounts for every website, just use your Facebook login wherever Connect is available”. This is an incredibly bad idea.

It is like you are living in a large apartment building and instead of having a key to your house, the janitor owns the keys to all apartments in the building instead. To enter your house, you ask the janitor to open the door for you. It’s even worse: the janitor also holds a key to your safe, your car, etc…. In real life we wouldn’t ever trust a janitor and endow him with this much power. He might be bribed, or simple forced to cooperate… Then why do we trust Facebook with similar powers in the online world?
Especially if we know that intelligence services like the NSA can request all your Facebook account data (possibly including authorisations for other services)?

And it’s not only Facebook. Schemes like OpenID, SAML, even certification authorities (like Verisign) in a public key infrastructure (PKI) have similar powers.

A strong authentication mechanism relies on public key cryptography. A user creates a key pair, and gives the public key to the service provider when signing up for an account. To access the account, the user needs to prove it owns the corresponding private key using a challenge response protocol. To prevent the need to maintain a large database of public keys for user accounts locally, the service provider could decide to use a certification authority (CA) to issue certificates that bind a public key to a user account instead. Then users receive a certificate for their public keys, and the service provider only needs to store the public key of the CA to verify all certificates it receives. However, this gives the CA the power to access any account, simply by generating a key pair and issue a certificate that binds the key to the desired account. In other words, it becomes as powerful as the janitor in the apartment building. In fact, any PKI delegates control from the leaves of the hierarchy, accumulating power up to the root.

In real life, we have different keys to open the front door of our house, open our safe or start our car. We may have a spare key, and a locksmith who knows the serial number of the key (or the lock) may be able to produce a new one. But never would a locksmith be able to create a new key that magically fits on our lock (excluding the possibility of master keys for the sake of argument) without such information. Using separate keys spreads the risk.

Again I wonder: why do we accept such a drastic change in trust assumptions in the virtual world?

Any authentication mechanism that does not require the service provider to store something specific for each user account runs the same risk. Trusting the janitor is but one example of the current Identity Crisis.