By now you should have heard about the so-called “epic” hacking of the accounts of Wired journalist Mat Honan. Only those on vacation well out of civilization (i.e., no internet, no phones, no newspapers, no radio, no TV) could honestly say that the details weren’t available to them. Nevertheless, here’s a quick summary of what happened.
Honan’s Twitter account was hacked. From this were discovered his Gmail account name and home address. Using the Gmail password recovery system, they discovered Mat’s backup email address was a .me account (.me is owned by Apple). They also discovered his Amazon account name and were able to add a fake credit card to that account by calling Amazon and verifying Mat’s name and billing address. After hanging up, they called back to Amazon and added a new backup email address, using the fake credit card number as a credential for authentication. They then did a password reset on the account using the new email address and were able to recover the last four digits of all credit cards registered to the account. Using that credit card information, the hackers called Apple and got the Customer service rep to set a temporary password on the .me email account. Logging in with the temp password, the hacker reset both the .me and the AppleID account’s passwords so now had full control of the iCloud account. Using the “forgot password” system of Gmail the hackers had a reset sent to the now-controlled-by-them .me email account. This they used to reset the Gmail password, then followed by re-setting the Twitter password. They then wiped Honan’s IOS and MAC devices. Had they wanted to, it seems likely the hackers could have gone on to use similar methods to take over Honan’s LinkedIn, FaceBook, DropBox, on-line banking and other accounts – each time bolstering their credentials for the next attack.
The story did cause Apple and Amazon (and hopefully others) to change the way they assist “users” to recover or change passwords. Hopefully, quite a few people also re-thought the idea of staying with username/password authentications. And, of course, the blogosphere and twitterverse were lit up with opinions, discussions and arguments about what it all proved. So why should I be different?
My friend Nishant Kaushik, of Identropy, did a very good job of outlining the attack (paraphrased above) and indicating corrective measures that should be taken. But I did quibble with one thing he said: “every business dealing with identity management of customers in any way needs to review their model, and if they can’t externalize identity by allowing customers to Bring Your Own Identity, then they need to review their processes and put much better controls in place”. Yes, BYOI reared its ugly head.
Bring Your Own Identity (BYOI) is a meme launched by Axiomatics’ Gerry Gebel a few years ago when he was with the Burton Group when he asked “why can’t the company I work for accept identity assertions or information based on an identity service that has already vetted my existence to an adequate assurance level?” The important part of this, of course, is “adequate assurance level.”
My colleague Martin Kuppinger recently (“Bring Your Own Identity? Yes. And No”) pooh-poohed the BYOI idea as simply a small piece of a much larger system:
“BYOI is much smaller than BYOD… The reality is that there will be multiple identity providers. This is about things like trust frameworks, about concepts like claims, and about the need to become flexible enough in the days of Identity Explosion. It is about gaining the ability to deal with multiple pieces of information provided by different providers, instead of one provider or two tiers of providers.”
So which is it – is BYOI important, as Nishant thinks, or not so much according to what Martin says?
I think the trust frameworks Martin speaks about will foster an authentication system which could be called BYOI but will be as far beyond today’s offerings (think FaceBook ID) as today’s rocket ships are beyond the 18th century’s balloons as airborne craft. Third-party identity systems are really still in their infancy with many, many pitfalls ahead. Simply following the US initiative for National Strategy for Trusted Identities in Cyberspace (NSTIC), which is attempting to foster the development of a trust framework, shows the dynamics involved when many stakeholders are allowed the opportunity to devise a standard.
But to return to my objection of Kaushik’s drum-thumping for BYOI today. It’s my feeling that the Mat Honan hack will – and should – slow any movement towards BYOI for the near term. And here’s why.
Nishant believes that customer facing entities like Apple and Amazon care much more about good customer service than they do about authentication security. He feels they will better serve their clientele by leaving the actual authentication to other organizations whose primary purpose is authentication. But who? Facebook?
My gut feeling is that people will say that if Amazon and Apple cannot be counted on to secure your authentication details, and (in Apple’s case) violate their own stated rules in order to provide information to the hackers – who can we trust with that data? If I’m running a customer facing site, then I would keep the authentication ceremony local while at the same time beefing up the security surrounding it and any recovery or reset mechanisms I might offer.
In the enterprise, there’s even less reason to support today’s BYOI. Employees, certainly, need to have their accounts in the data center with authentication controlled by the enterpise’s systems. But what of partners, clients, vendors, contractors and others needing access? Some clamor for BYOI but there’s no reason for the enterprise to rely on third parties for these identities, either. In some cases a two-party federation scheme could be set up, and has been in many instances. But this only means a token exchange from the partner to the enterprise – no third party involved. It also generally means a contract of one sort or another setting out the terms of use, terms of service and terms of liability for each party.
BYOI, as most understand it today, is a term that needs to go away. Maybe TFFI, Trusted Framework for Identity, can take its place. Or not. But that is what we need to build going forward.