Authentication and Authorization Part 2: A New, Verifiable Era

00. The Authentication Challenge

Evolving challenges in the scale of identity usage demand new innovations in authentication and authorization. As we explored in the last post tracing identity security through history, today's weak "Roman Watchword" passwords, unchecked data sharing, and sprawling digital identities have irrevocably forced modern security practices to improve. If we accept that the status quo isn't good, or even good enough, it's time to make a change.

Big changes are already underway: Companies advertising passwordless solutions are filling the margins of webpages and interrupting the YouTube-watching of untold millions.

We know passwords need to disappear, but there is a right way and a wrong way to make it happen. Some of these companies, all too eager to leverage the hype, are merely sweeping passwords under the rug by hiding them from users, then continuing to use them behind the scenes. Certainly, this is an improvement to user experience, and we can all agree (I hope) that user experience is important. However, this doesn't change the threat model. An attacker isn't forced to modify their playbook just because the password is obfuscated.

A better solution is represented by authenticators using WebAuthn. These solutions leverage something called passkeys. Passkeys are asymmetric cryptographic keypairs that are securely stored in a hardware-based security module within a user's device.

Passkeys improve user authentication in three important ways:

1. The user doesn't need to type a password. Logins are fast and simple
2. Asymmetric cryptography forces an attacker used to phishing for passwords to completely change their attack playbook.
3. When used in conjunction with a supporting SSO platform, they are extremely easy to deploy, and downstream applications don't need to know anything about them.

Organizations that are still using the username-password-MFA paradigm should strongly consider adopting passkeys at their earliest opportunity.

However, while they're great, and a very important step in the evolution of authentication, they do not represent the end game of identity and authentication. There are a number of unsolved issues with passkeys that will require new approaches to solve them.

01. Decoding a Passkey Paradox

The first issue is that the passkey itself does not contain any identity information. It is essentially a bearer token; an item that can be used by anyone who holds it. It alone can be used as your login credential, but it contains no information about the user. The expectation is that the system being accessed can recognize its keypair and associate it with a human user.

But how do we know that that association is accurate? It is easy to imagine how a shared family computer could allow the wrong person to log into a system containing sensitive data. One could also easily imagine attackers targeting the database storing the association between the keypair and user, thereby authorizing an attacker's keypair. This is much like the difference between paying biometrically via Apple Pay or Google Pay and paying with cash. With cash, anyone in possession of it can use it. The money may nominally belong to a specific person, but we cannot verify that just by looking at the bills. Hence, we focus our security efforts on the places where cash is stored, ensuring that only the correct person can access it.

Hence, we focus our security efforts on the places where cash is stored, ensuring that only the correct person can access it.

This leads us into our second issue: Because passkeys cannot identify and protect themselves, their security is derived purely from the belief that the hardware security module that holds them is impenetrable without a proper biometric or local pin. This means that it is the user's device that we believe to be trustworthy to authorize the appropriate user to use a passkey.

At the moment, this is generally a correct belief. But, this risk is amplified by the fact that vendors like Apple forcibly sync these passkeys across devices sharing the same iCloud logins. This exposes them to potential novel attacks against the data in transit or at rest within iCloud. Just as with solutions that merely obfuscate passwords, this syncing approach greatly simplifies user experience, but hugely multiplies the potential attack surface for these synced passkeys.

Thankfully, attacks against these devices' HSMs are currently rare. The question is: is this because they are actually un-hackable, or is it because the relative rarity of passkeys means that older attack patterns are easier and more cost-effective? This is reminiscent of the old belief that Macs were un-hackable. As they gained popularity and market share, however, we discovered that they were, in fact, hackable. They simply hadn't been worth the effort in a world where 95% of users were using a Windows machine. Once that changed, attackers suddenly found it worth their while to turn their attention to Apple platforms.

As passkeys gain adoption, will we see an increase in such attacks? It's difficult to predict with certainty, but it's only logical that we should work to mitigate any such attacks before they cause damage.

We can do this by taking the fantastic ideas behind passkeys and extending them further:

1. The first key addition is that your passkey must be tied to you in a way that can be externally validated. An example might be the inclusion of biometrics, or a cryptographic link to another identity document. This would allow us to confirm that the person trying to use the credential, on any device, is indeed the owner.
   
   The emerging standards working to implement these ideas are collectively known as verifiable credentials. The goal is not only to allow identity data and claims to be encoded within the credential, but also to allow for these items to be selectively disclosed in such a way that a recipient can validate the claims cryptographically, without necessarily receiving PII or needing to make a call back to a competent authority that could be leveraged as a novel tracking mechanism.
   
   The potential benefits are surprisingly broad: The ability to add identity claims directly into the credential means that not only are passwords eliminated from the authentication process but usernames as well. They can simply be passed along automatically with no need for user involvement. Passkeys enabled us to remove one of the two fields on the typical login screen, but why not remove both? Verifiable credentials make this possible.

2. With the password and username replaced by the verifiable credential, this also means that our identity stores/directories no longer need to store these attributes either. This enables them to cease being the ripe targets of attackers looking to escalate their access.
   
   The directory can morph from something that represents a single point of failure in the identity ecosystem into a decentralized arbiter of role-based access provisioning. Users can then hold their cryptographically-attested attributes on their own devices, while their authorizations can rest in the directory. This segregated, decentralized approach makes attacks far more difficult, and it is also a tremendous boost to the resilience of the identity infrastructure.

Much as the verifier of a certificate need not contact the certificate authority directly, the verifier of a verifiable credential need not have a direct connection to its issuer. If the issuer happens to be down for maintenance, this does not cause any interruption in authentication flows. It would interfere with provisioning actions, but these are typically lower in volume, and this is already an issue in current solutions, so it's a net improvement.

It also means that anyone who comes into contact with a verifiable credential can validate it. An IT admin fulfilling an HR ticket can validate that a laptop they're sending to a new employee can only be unlocked by someone possessing the same ID originally presented to HR. This will be especially valuable for large enterprises with mobile or remote workforces who will see better performance and fewer issues.

It's also critical to privacy. While it is certainly acceptable and necessary to track employee behavior on corporate assets, and to run analytics on that behavior to make security decisions, doing such tracking should not be an inextricable part of the technology if we want IDs based on it to be portable (and popular) between organizations and even countries.

When this technology is combined with other fast-growing technologies such as ITDR, ID Proofing, and context-based MFA, we quickly arrive at a future where users onboard painlessly, login biometrically once per day (at most), and access any resource without ever having to remember a username and password again. Contextual information will establish the trustworthiness of their actions and their devices. As such, MFA, as users have come to know it, can also be deprecated. There is nothing a push notification can tell us that a biometric auth, Wi-Fi Fingerprint, posture check, and behavioral analytics can't. The user of the future will be oblivious to these transparent checks, and the user of today can comfortably believe that the arduous torture of MFA has been relegated to the dustbin of history. They'll be wrong, technically, but who cares?

The best part is that none of this requires a complete revolution in how IT organizations function. VCs are merely a logical extension of passkeys, and in most cases, their use simplifies existing, painful processes rather than creating new headaches.

We arrive at a single, secure login accomplished in a single user step. I won't call it Nirvana, but you can if you'd like.

02. Progress Towards a Decentralized Identity Ecosystem

So when can we expect to start seeing this technology in the wild? Well, it depends where you live.

There are myriad organizations, public and private, working to bring this new vision of the future to fruition. Europe has a head start on North America due to the second version of its eIDAS legislation¹, which mandates the creation of interoperable decentralized digital identity systems for use within European Union member states. Its passage was also accompanied by the publication of a standards-based Architectural Reference Framework (ARF)² that aims to guide the development of an interoperable ecosystem. Therein, standards from OIDF (Open Identity Foundation)³, W3C (The World Wide Web Consortium)⁴, and others are used to create an example of what an interoperable system could look like. Governments and private sector organizations are now hard at work developing and releasing solutions for use by employees and private individuals alike. Germany, Switzerland, The Netherlands, Belgium, and a number of banks and telecoms organizations have already deployed initial identity and credentialling solutions for their users.

In North America, the Canadian province of British Columbia, in partnership with the Trust Over IP Foundation⁵ and IBM, has led the charge in government adoption of the new standards, starting in the medical and legal professions, by issuing digital, professional credentials.

In the United States, well known organizations like Microsoft, Ping, Apple, and Okta have been influencing the move towards digital identities alongside smaller startups. However, the main focus of most of these organizations are corporate credentialling use cases rather than state/national digital identities.

In contrast, Apple has been hard at work convincing the license-issuing authorities of various US states to begin issuing digital driver's licenses. At the moment, they've stopped short of embracing the verifiable credential standards and, therefore, from addressing the corporate credentialing use cases discussed above. However, even these alternative digital driver's licenses could be used as a trust anchor during employee onboarding that is far superior to placing trust in a plastic card.

As we can see, there are a number of different approaches being tried, by new and well-known organizations alike.

So, as you evaluate the future of what identity security and governance looks like for you and your organization, consider asking your directory services provider how they plan on embracing decentralization efforts and verifiable credentials. Ask your HR service providers the same question. And, if you have the patience for it, maybe ask your local driver's license authority too!

03. References and Additional Reading

This is part 2 of a series on Authentication and Authorization. Read the first post here: Authentication and Authorization Through the Ages | Duo Labs