In our online world (but also offline) security is an important topic. Especially with the advent of cloud computing and an extended enterprise with partners and perhaps even clients having access to your ICT systems it becomes increasingly important to let the good guys in and keep the bad guys out.
On the other hand, and to make matters more complex, security should not result in frustration for legitimate users who need to remember all kinds of user IDs and passwords for systems they need use. From an ICT management perspective you want a solution that is easy to deploy and maintain yet satisfies the security requirements of your organization.
The WSO2 Identity Server is part of the WSO2 application integration platform and is a versatile solution that covers the needs of organizations for federated identity management, single sign-on and other identity management challenges.
In this first of two articles we will look at the basics of identities, identification, authentication, authorization and factors. This article is suited for anyone who wants to know more about identities.
The second article will describe the functionality of the WSO2 Identity Server and how it addresses the security challenges of today’s organizations.
Part 1: The need for an Identity (Server)
It’s the theme song for the American hit series ‘CSI Las Vegas’: “Who are you”. Although that show the perspective of identifying a person is from a criminal perspective it nevertheless brings up the issue of identity. Because sometimes we need to know ‘who you are’ but most of the times we need to know ‘are you who you say you are’?
One or Many identities?
 |
|---|
| Figure 1 Your many identities |
Shortly after your birth your name, date of birth and other relevant data is registered in the place of birth. You are assigned a unique number, let’s call it a citizen ID and get a paper extract of your registration.
Later in life you get an identity card or passport with a picture (or even biometric data) that is needed to open for instance a bank account or travel abroad. The picture on the card that looks like you and the fact that you have the card are the ‘proof’ that you are indeed who you say you are.
But there are also other identities that you have, many in fact like:
• You are an employee at a company with an employee number;
• You are a member of a fitness club with a membership number;
• You register online with a website to read the news;
• You shop online and have a customer number.
All these identities are part of you and they share the same basic structure:
• USER ID, a unique number or name (within the organization);
• Password or other proof (when used to log in or in a transactional environment).
• Additional information like your name, address or other personal data;
A study in 2012 by Norsis (a Norwegian independent body on cybersecurity) found that the average minimum number of private passwords per person is 17, and the average minimum number of work passwords is 8,5 (Norsis, 2012). In total 25 different passwords, and that is the minimum average number. For many people this will be much higher especially when they are active online.
In almost all cases your identity data is stored in a computer system. When you want to do something (e.g. access online banking, enter the gym or get a building permit) you need to identify and authenticate yourself. It means nothing more than providing your identity data and presenting proof of your claimed identity. This can be online but also offline, for instance by showing your passport or identity card when applying for a building permit.
In some cases, for instance when renewing a driver’s license or a passport the issuing party wants a strong ‘proof’ of your identity. You have to provide for instance the old passport to get a new one. The reason for asking for strong ‘proof’ is that a passport or driver’s license gives you certain rights that governments only want to give to people who are entitled and the quality of proof is proportional to the importance of these rights.
However, if you register yourself on a free gossip website, you probably only want to share the bare minimum, like an email address and password.
One identity
With so many identities (i.e. user IDs and passwords) to remember it is natural to think: why not just one?
There are benefits for you to having one identity:
• Only one ID and password to remember;
• Familiar procedure to logon;
But there are also drawbacks:
• Central point of failure (if the service is unavailable everything stops);
• Central point of vulnerability;
• What kind of data is stored;
• Potentially less privacy.
Companies have tried to offer single password systems like Microsoft with Passport for instance, but it hasn’t been a success. Nowadays, Google and Facebook offer to other sites the possibility to register with their Facebook or Google account making it easier for people to sign up or register. Because remembering ID’s and passwords (especially a different one for each site) is cumbersome for many.
There are of course also drawbacks in using Google and Facebook, they are getting an even more complete profile of you, what you do online, who your friends are and where you log in.
This profile is valuable to them (and in fact their business model) and the reason they can offer free services (remember: there is no such thing as a free lunch).
Let’s say your government also offers a login service like Google or Facebook. If websites would give you the choice would you use your government ID for everything you do online?
Some say, “Sure I have nothing to hide”, others are more reluctant. It comes down to the question: what kind of data is stored? Will the government store information about the sites you visit, date and time and so on? What will they do with that data?
Can we trust them not to collect and analyze this data? In Europe, all member states must adhere to the Data Retention Directive that specifies that member states must store citizens’ telecommunications data for a minimum of 6 months and at most 24 months. With a court order this data could be made available to police and security agencies when for instance terrorist activity is suspected.
For many trusting the government is harder than it used to be, especially in the light of recent spying by governments across the globe. It has made citizens wary of governments whatever the purpose of the data collection was.
Because there are more a privacy issues we will not elaborate any further. A single ID that can be used everywhere has both merits and drawbacks.
Identification, Authentication and Authorization
Identification is simply stating who you are by supplying your identity data: a user ID and password, a fingerprint or even your DNA (in forensic investigation). Authentication is asserting that the proof for instance a password that you and the other party have is equal to the password representation stored in the database. We seldom trust people in the blind.
It might be that you state your user ID is ‘John Doe’ or it might be ‘Sil3ntSurfer992’, both are identities you can have. The password that accompanies the ID authenticates your identity.
Authentication and factors
Authentication is the validation of your stated identity. To validate we need some sort of proof, something only you know, have or are. This is called a factor and it can be a password, a pin code, a card (that you insert, swipe or present), a driver’s license, your biometric profile (e.g. fingerprint) or even a combination of all three.
The proof is basically more or less a sort of ‘guarantee’ for the system that you are in fact the person you state you are. The word guarantee is between quotes since many of the things that we consider as proof, like a password can sometimes easily be guessed, stolen or handed over. The quality of the proof depends on the inalienability, in this case meaning how easy it is for others to use (e.g. impossible to take away or give up).
Factors
As said, we use the word factor when validating the identity to describe, here are the three types:
1. Something only the user knows (e.g., password, PIN, pattern);
2. Something only the user has (e.g., ATM card, smart card, mobile phone);
3. Something only the user is (e.g., biometric characteristic, such as a fingerprint);
The quality of proof these factors offer increases with the number and each of these three can be used on its own or in combination. Multifactor identification using at least three factors is considered the best.
Single factor
There are several levels of authentication. The simplest form of authentication is a list of names. A good example of this is when reserving a table in a restaurant. When you arrive you say your name and that you reserved a table. No one is going to ask you for a password; just your name is enough.
This is, of course, a low quality of proof and not very secure but the stakes are not high either. If someone knows your name and knows that that you reserved a table in the restaurant for that specific time they can in fact get your table. What happens when you arrive? You also state your name and the fact that you reserved a table.
At that point the waiter might get confused because that you people who both claim they reserved a table. A logical question would be for both parties to identify themselves with proof of for instance their name, a debit card, driver’s license or so.
The person who is able to in fact present the ID with the correct name will get the table, if both people have the same name (unlikely but possible) both should actually get a table since there is no proof who was the person that actually reserved it.
We use this principle (knowledge that is not secret but hard to guess) online as well, an unlisted YouTube video is not private and if you know the URL you can access it.
You could call this no factor authentication but in fact is actually a special form of simple single factor authentication since it’s based on knowledge (you know that you reserved a table) and there is a check if indeed you are on the list.
More security
 |
|---|
| Figure 2 Authentication |
When stakes are higher, we want to know more. We often use a combination of name or user ID and a secret password. A user ID has to be unique (within the collection of names) and is something that other people might also know, for instance your name. Organizations like your employer often use a standard template for establishing your user ID like first letter of your first name and your last name (e.g. JDoe). This can cause problems since names are not unique; Jane Doe and John Doe in this case have the same user ID. Your naming policy should take these into account.
Your password or pin code however should be secret since this is ‘proof’ for your identity. Although passwords can be guessed or stolen it is the most widely used way to access online services, like Gmail, Amazon and many others. This is called single factor authentication. Although it is actually two things that are asked it is still single factor since they are both knowledge factors.
Two factor
 |
|---|
| Figure 3 Identification and Authentication |
When getting money from the ATM you present two factors, often a debit or credit card and a pin code. These are two of the three possible factors we described earlier. This is widely used but, like any system, can be used in a fraudulent way if someone steels your card and knows your pin. Nevertheless it is secure enough for banks to use as longs as you keep it safe as well.
Multifactor
Although two-factor authentication is in essence already multi factor we keep the multi factor term for the combination of knowledge, possession and inherence. You know the pin, you have the card and your fingerprint matches the one on file. This is considered the safest form although it strongly depends on the implemented security of the system.
Authorization
When you have access to the system the last step is authorization. This is establishing your rights or asserting that you have the right to do something. Your company’s CFO is authorized at a different level than someone in accounting. They can both have access to the system but the CFO can for instance authorize large financial transactions (based on his role).
Increasingly we want authorization removed from the applications and to a higher level tied in with the whole enterprise security policies and entitlement of users and groups.
Entitlement
A word that is often used with respect to identification authentication and authorization is entitlement. So what does it mean and how does it relate to the three other words?
When you look in a dictionary and the entitlement the definition says “having the right to have do get something’. Entitlement therefore concerns things you’re allowed to do. For now we don’t need any other information on entitlement.
More on identity
Now you have a good overview of what Identity, Authentication and factors are and know a bit about the issues that surround authentication. Security is one of the most important aspects of our lives whether it is digital or our real brick and mortar world.
User ID and password are de facto standards in our ICT landscapes and although they are widely used are less secure than you think. Forcing different passwords for each application with 12 or more characters consisting of letters, numbers and #^$& is hard to guess or to break but also hard to use and will lead to dissatisfied users who will also make a note of these passwords since they are hard to remember.
Using smartcards or biometrics to secure systems on top of a user ID / password increases the level of security but also increases cost and the amount of work managing it. A security risk assessment helps to identify what level of security is needed for a specific application.
In part 2 of ‘Getting started with WSO2 Identity Server’ we are looking at the WSO2 Identity Server and the role it plays in securing your (extended) enterprise. We will address the extending enterprise and the support Identity Server offers for that like the possibility for instance for consumers to use Facebook for logging on to your systems or websites.
We will explain as much as we can how it works and while we will mention acronyms, like PEP (policy Enforcement Point) and RBAC (Role Based Access Control) we will also explain what they mean so people without security knowledge will understand.
