A couple of days ago the New York Times broke a story describing how Russian hackers amassed more than billion internet passwords, along with 500 million email address, from over 420,000 large and small websites. Yesterday, The Verge questioned the veracity of these numbers, concluding that this number may be a compendium of both old and new breaches, many from small sites of limited impact. However you slice it, this is a stark example of the failure of passwords as a scalable security solution.
The vast majority of users use the same, or just a few, passwords across multiple sites. (Don’t kid yourself. If you’re reading this you’re almost certainly an IT or security professional, and you probably do too.)
Even if you force yourself to use good password hygiene - I use LastPass to generate 12-20 digit random strong passwords, unique for each site, and keep track of them for me - changing passwords across a broad swath of sites is just not practical. I have accounts and passwords for more than 470 websites stored in LastPass; despite the tool's automation, websites have no standardized way to change these passwords. It would take me days.
No, the solution is to move away from passwords. And that means supporting identity federation in particular and identity standards in general. Unlike basic authentication from a userid and password stored at the SaaS provider, identity federation keeps the user's password in one place: at the identity provider (IdP). The SaaS provider (who as part of federation has previously established the identity provider as a trusted source of identity) lets the IdP take care of the authentication for them.
Whether it's your company's Active Directory, Google, Yahoo, Facebook, Twitter, Microsoft, or some of the other big internet players, your password is safest when you just authenticate at these places when you need to prove your identity to a SaaS provider. The fewer passwords you have, the fewer you have to remember or change. The fewer passwords you have, the easier it is to store them with IdPs where identity and security is a major part of their business – compared to SaaS providers for whom user databases are a necessary evil and lowest common denominator security is the norm.
There have been some legitimate usability concerns on federated logon with certain identity providers, which I’ve written about in a previous post. In the past, if you wanted to use your Facebook ID to logon to another site, the target site would tell you that if you approve, it can access your profile, friends, friend's profiles, post on your behalf…basically all the identity data Facebook threw at it. (This is in direct violation of Kim Cameron’s 2nd Law of Identity.) Fortunately, this situation has improved to where you can easily refuse this access while still getting authenticated.
But federation adoption remains terribly slow. Only 7% of an estimated total market of 25,000 SaaS providers support federation at this time. And SaaS providers, with relatively small development staff and a hectic release-to-web schedule, have limited incentive to implement federation on their own. One really good reason, however, is the "New York Times" argument: No one want to find their company's name in the Times because their user database was breached by hackers and customer identity information was exposed. Target is the most recent poster child for this situation, but in a few months it will be another high profile company. Embracing federation mitigates this risk considerably; though userids (often in the form of email addresses) can still be taken from the SaaS provider, since authentication is done at the IdP there aren’t any passwords at the SaaS provider to worry about.
You, gentle reader, are the ones to solve this problem of standards adoption. Why? Because you have the power of the PO. When evaluating a SaaS provider, federated logon should be a basic requirement - not merely a nice-to-have capability. Nothing gets a business's attention faster than telling them they lost an RFP because they didn't meet a basic requirement. Supporting standards also will make it easier for you to switch from one SaaS provider to another, because you won’t have to tear down and build up proprietary connections every time you move. Some companies have ways to make federation easier for SaaS providers. Ping Identity, always a flag bearer for identity standards, offers a Secure Cloud Network with incentives to bring SSO capabilities to a website.
While I'm on a soap box* about supporting identity standards, it's important to include the other half of the identity bridge equation. You can't authenticate a user's account at the SP if there's no account there. This is where identity provisioning - more precisely, the identity lifecycle - comes in, and the leading standard for identity provisioning is SCIM.
Unlike previous standards, SCIM is a simple (that's what the first letter stands for) yet flexible way to manage creation, reading, updating, and deletion of identities in a service provider. At this year's Cloud Identity Summit, Sailpoint's Kelly Grizzle did a great job explaining why SCIM is so important to internet security and growth. But again, customers must ask for SCIM as a baseline requirement, or vendors will give implementing it a low priority compared to other pressing needs.
On a grander standards scale, the federal government’s NSTIC identity ecosystem initiative has the potential to raise the overall security of US internet transactions. No, it’s not a government takeover; the feds are providing a framework and initiatives (such as federal agencies dogfooding pilot projects) to help a public / private sector consortium – led by some of the country’s brightest identity experts, I might add – build a marketplace using truly trusted identities for secure transations. Centrify CEO Tom Kemp has written a nice overview of NTSIC here; the program is always looking for participation and comments.
Identerati can preach the benefits of standards adoption as a holy mission, but money talks. If supporting identity standards becomes good business, SaaS provider’s rapid adoption will follow. And the internet world will become a little bit simpler for all of us as a result.
* Is anyone still alive that’s seen soap shipped in a box? Rewind the DVR while you're at it, Mabel.