Last week I
attended IIW 17,
the 17th meeting of
the Internet Identity
Workshop, which is held twice a year in Mountain View, California.
As usual it was a great opportunity to exchange ideas and meet people,
with its unconference format, its many sessions, its rotating demos,
its wide space for discussions, and its two free dinners with free
For me, however, it was tinged with sadness, because of what has
happened since the first IIW I attended, IIW 12, in May 2011. IIW 12
was the first IIW after the launch
of NSTIC. IIW 17 was the
first IIW after Snowden.
Strategy Document, released in April 2011 with a preface signed by
President Obama, repeatedly emphasized the goal of enhancing privacy
as a key element of the “vision” and “guiding principles” of NSTIC.
The document explicitly stated that the Identity Ecosystem will use
privacy-enhancing technology and policies to inhibit the ability of
service providers to link an individual’s transactions, thus ensuring
that no one service provider can gain a complete picture of an
individual’s life in cyberspace. At the time, Facebook Connect
was threatening to inject Facebook as a middleman in all or most
Internet activities, and I was happy to see that the US Government
seemingly wanted to prevent such a massive invasion of privacy; I even
convened a session at IIW 12 proposing a technique for achieving the
privacy goals of NSTIC in the short term. Little did I know that the
government was busy building a massive surveillance apparatus that
would give the government a complete picture of an individual’s
life in cyberspace, by means including bulk collection of data from
The Internet, given to the world by the US Department of Defense, was
a world-wide forum for free-flowing, spontaneous exchange of ideas.
Now the NSA, part of the same Department of Defense, has taken that
away. People know that they are being tracked and identified when
they post an anonymous comment. People know that their conversations
are being recorded. Therefore people must think twice about they say.
I don’t know if Congress will be able to rein in the NSA. It should
be clear that spying on US citizens is unconstitutional, but some
politicians think that it is the NSA’s job to spy on everybody else in
the planet. They don’t seem to consider or care that, if the US
Government insists on a God-given right to spy on everybody else,
other countries or regions may develop their own national or regional
networks, separated from the US Internet by an air gap.
Fortunately, the technical community has reacted strongly against the
NSA’s attacks on Internet privacy. And thanks to Snowden’s
revelations, many of the attack techniques are known. It may
therefore be possible to protect Internet privacy by technical means.
Coming back to the subject of the workshop, Internet Identity, I would
argue that the first thing to do to protect Internet privacy is to get
rid of the pernicious technology variously known as third-party login,
social login or federated login. To be precise, I am referring to
authentication techniques where the user authenticates to a
third-party identity provider, which then provides identity and/or
attribute information to a relying party, using a protocol such
as OAuth or
OpenID Connect. (These are
the techniques in Group 2 of the taxonomy proposed in the
Postures of Authentication Technologies.)
The only intrinsic advantage of federated login is that it allows the
identity provider to collect vast amounts of information about the
user, since the identity provider learns not only the user’s identity
and/or attributes, but also what relying parties the user logs in to.
The identity provider uses the information to sell ads that target the
user accurately. We now know that the information is also shared with
the government, which makes it available to thousands of analysts and
IT personnel who use it for legal or illegal government or personal
There are no other intrinsic advantages to federated login.
The government and the identity providers argue that federated login
is more secure than direct authentication to the relying party with
username and password, but the opposite is true.
Security is supposedly increased because federated login reduces
password reuse. But password reuse will not be substantially reduced
unless a large majority of world-wide web sites force their users to
use federated login with one of a small number of global identity
providers such as Google or Facebook, something that will hopefully
not come to pass.
Security is also supposedly increased because a large identity
provider supposedly does a better job of protecting the user’s
password. But I don’t know why a large identity provider would
provide better protection against hackers, since large companies are
not known to provide great security. And I do know that a password
entrusted to a large identity provider may become available to
thousands of employees of the government, of government contractors,
and of the identity provider.. And the capture of a password used at
an identity provider, which provides access to multiple web sites, is
more damaging to the user than the capture of a password used at a
single web site.
There is an alternative to authenticating to a web site with username
and password that provides both security and privacy: namely,
authentication with a cryptographic key pair automatically generated
on the user’s machine when the user registers with the site. The site
stores the hash of the public key component of the key pair in its
database, and uses it to locate the user’s account when the user
visits the site again and demonstrates knowledge of the private key
Another claimed advantage of federated login is that the user can
register at a new site with a single click if logged in to the
identity provider, any personal data required by the site being
provided by the identity provider. This is a real advantage, but not
an intrinsic one. The same benefit could be easily obtained by
storing the personal data in the browser, and specifying a protocol by
which the browser would supply selected personal data items to a web
site upon demand by the site and approval by the user. Such a
protocol would be much simpler than any of the federated login
protocols and would provide more security and more privacy.
Yet another claimed advantage of federated login is that the identity
provider could provide the relying party with a user’s identity and/or
attributes verified by an identity proofing procedure; however, such
verified identity and/or attributes could equally well be provided by
a certificate authority using a public key certificate (or by multiple
authorities providing a combination of a certificate binding a public
key to an identity and one or more certificates binding the identity
to various attributes), without the certificate authority having to be
informed of what relying parties the certificate is submitted to.
It is sometimes argued
(cf. the NSTIC 101
session at last week’s IIW) that using public key cryptography for
authentication would be expensive and would require the user to carry
a separate dongle or smartcard for every credential. This is not
true. There is no need for special hardware to store a cryptographic
credential, and if special hardware is desired for some reason, there
is no need to use different pieces of hardware for different
Two sessions at IIW 17 gave me hope that Internet privacy is not a
of them was convened by Tim Bray of Google to report on the
comments he received in response to
post arguing to developers that they should use federated login
rather than login with username and password. The comments, which he
referred to as a “bloodbath,” showed that neither developers nor
end-users like federated login. I hope that such pushback will
eventually force companies like Google to give up on federated login.
other one was convened by Kazue Sako of NEC to discuss anonymous
credentials and their possible uses. The room was overflowing and the
level of engagement of the audience was high, showing that technical
people are interested in privacy-enhancing authentication technologies
even if large companies are not.