Our Flawed World of Identity and Rights?

Which protocol moved from Version 1.0 to Version 2, and became more complex, less interoperable, less useful, more incomplete, and less secure? That will be OAuth.

Federated ID and OAuth2

Facebook, as with many other major Cloud Service Provider, including Google, use the OAuth2 authentication protocol for providing an ID token to a user. The token, itself, does not contain the password, but just the fact that the user has identified themselves, and has rights on the system for a given amount of time. This token can also be trusted on other sides — with a federated identity. Thus if you use Facebook to log into Spotify then Facebook proves your identity and then passes an OAuth2 token back to you, to give to Spotify. The scope of the breach could thus involve other external services which use Facebook as an identity provider.

The problems

While OAuth 2 solves many problems in logging into systems and in traversing across trusted systems, many security experts criticize its usage, as the tokens can be captured, and where long periods of access can be granted on a single provision of a user identity. The basic process into the user accessing a web service, and is then redirect the identity provider, who will request the identity details of the user. On a successful entry of these details, the identity provider will send back an access token to the service provider:

Ref: here

Token Binding 1.0

We increasingly live in a digital world where we identify ourselves once and then receive an authorization token. This token can then be passed to trusted services, and where the user does not have to be re-authenticated.

  • RFC 8473. Application of the protocol to HTTP.

Conclusions

I repeat again … only with smart contracts, true identity signing and in the usage of cryptography keys, can we provide an improved identity world. We need a world which is more focused on users, and less on what developers and administrators find easy to set up. OAuth 2 should only be seen as a short-term solution to a trust infrastructure, the long-term solution is to put identity and rights back into the hands of those that matter … the citizen. We are still stuck in the 20th Century, and have to look at creating systems which are truly integrated, and which respect the rights of the citizen to privacy and consent.

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store