Bring-Your-Own-Identity (henceforth “BYOI”) is one of the emerging trends among organizations which are in process of streamlining its IT governance solutions to make more flexible and mobile in nature. BYOI addresses the problem of registering/remembering multiple credentials for different applications and suggests to adopt/leverage open industry standards by means of integrating with social networking sites (E.g. Facebook, Google, Yahoo etc.).
Background and Business Driver
Bring-Your-Own-Device (BYOD) policy is quite well known to all as this allows employees to bring in personalized devices like smartphones, tablet, even laptops to their workplace to access secure company information and applications. BYOD was successful as it resulted in many advantages like an increase in productivity, increased morale and convenience by allowing users to use their own device with required security controls in place, job satisfaction etc.
BYOI trend is on the same line as of BYOD and the trend is better known as “IT Consumerization”. The base of consumerization of IT lies on the concept i.e. encouraging the work culture of “personally owned IT” at the workplace and focus on product and service design which is marketable to end user to be treated as a consumer as opposed to an organization oriented design made in a B2B model. As organizations currently prefer to consume third-party services to reduce operating costs as opposed to building homegrown applications, users now have too many accounts, too many passwords, too many iterations of registration to take place. All these have been literally forcing end users to adopt some insecure way of memorizing credentials per application like maintaining sticky notes, inking somewhere in personal notepads, using very weak easy to remember words as (password, 1234 etc.), increase in reset password help desk calls to name a few. This scenario is well described as “identity fatigue”. BYOI initiative is mainly intended to eliminate the fatigue.
Bring your own identity
The very important purpose of BYOI initiative is to simplify the user experience in terms of reducing the number of self-registration, accounts, login attempts etc. as explained above. The initiative relies upon industry open standards to integrate business applications with social networking sites which will act as identity providers. In this way, applications will be able to authenticate users with its already existing credentials without having them registered again. As a result, BYOI reduces the need to remember many id/password combinations, administrative costs of forget/reset password helpdesk calls. Thankfully many B2C applications have already started leveraging popular social sites for authentication and identity establishment.
BYOI comes with a lot of benefits as listed below:
- Simplifies online registration process with no more manual entry of user information as the same is maintained and shared by social sites upon user authorization
- No need to remember individual user id/password for each application
- Reduces administrative cost by exiting site-specific reset/forgot password functionality
- Accelerates user adoption of B2C services
As stated above, BYOI relies upon open security standards to allow business applications to leverage social networks' authentication capabilities. The open standards define the following:
- A process flow which the authenticating system needs to adhere to
- A security wrapper over the defined process to ensure secure sharing of sensitive user information
- Cross-vendor interoperability
- A reliable way of integration of business applications with third-party service providers
Below are the market leading open standards that the industry is currently adhering to. The most popular social networking sites acting as identity provider like Yahoo, Facebook, Google leverage the standards.
OpenID – OpenID is an open standard promoted by non-profit making foundation OpenID Foundation. The basic principle on which OpenID works is called “decentralized authentication” and its primary purpose is to establish “who you are”. It barres the third-party applications intending to integrate with OpenID supported identity provider from writing its own site-specific authentication logic. In this way, a user can log in to multiple OpenID enabled websites using a single existing social site userid/password combination. Under the hood, OpenID provider grants an URL like unique identifier to its users (E.g. Yahoo OpenID identifier would look like https://me.yahoo.com/a/uaStkHdgs_7BxVAc1FofG0xxxxxxxxxxxxxx.xxxxxck-) and the identifier is then matched once the user authenticates to OpenID provider using the provider-specific user credential. Point to be noted here, a user would need to enter user ID and password in the provider Sign In page (say Yahoo! Sign In page) ONLY, not in any other application login page. Therefore, no website will ever see your password. Some market-leading OpenID providers are Google, Yahoo!, Microsoft etc.
OAuth – OAuth is another open standard promoted by an open consortium with the same name. The basic principle of this standard is “delegated authorization”. OAuth deals with granting appropriate authorization by the resource owner to other third-party applications which want to get access to the information. Currently, OAuth version 2.0 is widely used in the market for all kind of applications such web application, mobile apps, desktop applications etc. Under the hood, OAuth grants a bearer token upon successful authentication and authorization by the user. In this case, also, the user needs to authenticate to OAuth provider using its provider-specific user ID and password to be entered on Provider Sign In page before authorizing the access to user personal information by the third party application. Google and Facebook are two market-leading OAuth providers with whom a lot of applications are moving into BYOI arena.
OpenID Connect - OpenID Connect is also another open standard built an authentication layer over OAuth 2.0. The standard is controlled by OpenID foundation only. The standard is now widely accepted by the industry and became a de-facto standard in BYOI implementation. This standard is the result of an endeavor to merge both OpenID and OAuth into a simple protocol which the clients can use for both identifying who is accessing as well as managing authorization on what is being accessed.
BYOI is a wonderful business initiative which is being currently taken by the IT organization rapidly due to its user-friendliness most importantly with correct security controls around. Having said that, BYOI is not risk-free. A few risks could be:
- Single Point of failure – Since business is going to depend upon single social networking site for authentication and authorization, it creates a potential single point of failure. So, it is very important for the provider site to be up and running. At the same time, if the provider credential is compromised in any way, then business application relying on it will go under considerable effort to re-establish the identity of the user.
- Awareness – User's awareness is going to play a big role. Since both authentication and authorization are taking place at the third-party identity provider end, users at no cost should enter sensitive credentials on any other Sign In page apart from the one presented by the provider itself. Yahoo! took an initiative called “Sign In Seal” where each user is going to choose one secure image and that image is presented by Yahoo! On Sign In page to allow end users to understand whether the page is owned by Yahoo! Or by an Intruder mocking the same page look and feel.
However, BYOI is here to stay even. Due to its nature of simplifying overall user experience and scope of reducing development cost to implement site-specific authentication/authorization wrapper, organizations should support the use of social identity to establish identity. There may be some security concern in allowing BYOI but that can be definitely supplemented with increased security measures like adaptive authentication if the risk is higher in terms of information sensitiveness, a higher ceiling on the total transaction in a day, timeouts etc.
Authored By - Kalyan Kumar Saha
TCS Cyber Security Practice