I used to do security in a former life, and here are some musings on the topic, which will eventually be dissected into various essays.
For now it’ll be confusing as I’m brain dumping to various audiences with various knowledge (end users, architects, CEOs, designers)
- Good Security
- Single Sign On: One account to rule them all.
- Great design: Microsoft Authenticator
- Great design: Whatsapp add accounts
- Git tools, personal access tokens
- Googles OTP reset codes
- Password managers
- Multi Factor Authentication
- Full Device Encryption (Bitlocker, TPM, Truecrypt)
- Public Key sign in via SSH
- Live sign in for windows
- Single Payment System: Paypal, Amazon, Google Express
- Bad Security
- Security Assessments
We’ve made lots of stride in the security world, here are some of the ideas that have really stood out.
Single Sign On: One account to rule them all.
Perhaps better articulated as a small number of accounts to run them all.
Single sign in allows users to use a single account to login into many web sites, which means you don’t need to great a new account for every product you use.
Google, Facebook, Twitter, and Microsoft have excellent single sign on solutions.
SSO vs Identity Sign can be orthogonal to identity. For example, multiple SSO services can provide the same identity. For example, FB can be configured to provide a google e-mail identity, just as google does. Users can register multiple SSO services for the same identity - which is ideal in the case of service providers avoiding dependence on a single SSO provider.
Why doesn’t everyone use SSO? I suspect a few things, many of which I disagree with.
- Dependant on a SSO providers: Transient downtime, out of business.
If the SSO provider is down, users can’t login - this is a unfixable experience.
Far worse, if a SSO provider goes out of business, and they are the only identity of the users in the service’s system, the service team will need to have an emergency scramble to re-create user accounts. This would be a nightmare scenario as it can be very difficult to contact all users.
- Cheaper to run your own AuthN system then build SSO
I believe this belief is an outdated myth. In the past, before the standardization of OAUTH, and the excellent libraries that support it, using OATH is significantly cheaper to implement.
Moreover, when you look at the total cost of password system ownership, like secure password storage, password resets, and security leaks, I believe rolling your own AuthN system very quickly becomes the higher cost solution.
Great design: Microsoft Authenticator
The best authenticator application I’ve seen is Microsoft’s for iOS. In this solution, when you a user logs into a service with Microsoft SSO on any device, they are presented with a 2 digit number on the device accessing the service, and a notification pops up on the user’s mobile device to open Microsoft Authenticator.
On the users mobile device, in Microsoft Authenticator, a choice of 2 digit numbers are presented. When the user clicks on the matching 2 digit number the users is logged into the service.
This flow is even better on the iPhone, where the 2 digit number is presented on the watch where the user can enter the number directly.
Notice, the user completes the sign on flow cross device without needing to return to the source application.
Why don’t more authenticators use this model?
I’m not sure, I suspect a few things:
- Architects don’t think of pushing the boundaries in their auth systems.
- It ties the authN to the authenticator app. This sounds odd, but the auth model where you can enter a 6 digit number allows the SSO provider to use multiple transport channels to provide the 6 digit number (e.g. SMS, E-mail, etc)
Great design: Whatsapp add accounts
What’s app lets you add a windows account by displaying a QR code and having you scan it into your phone. This is awesome since you don’t need to know/enter a password
Git tools, personal access tokens
Googles OTP reset codes
I use 1Password and it’s fantastic. I have strong passwords for all my sites, an also use it for 1 time codes. It syncs to all my devices, and even has a watch app.
Multi Factor Authentication
Full Device Encryption (Bitlocker, TPM, Truecrypt)
Public Key sign in via SSH
Live sign in for windows
Single Payment System: Paypal, Amazon, Google Express
E-mail password resets
You can have the strongest password in the world, but then a user can hit password reset, and if they have control of your e-mail, they can change you password sheesh.
SMS Password reset tools weakness
You may think SMS passwords are strong security, a second factor even. However, SMS is easily attackable using a Sting Ray.
Can’t unlock the door w/Amazon Alexa
The security of your system is a function of the capabilities of the attacker. For example, if your attacker profile is a techno-peasant, you’re likely safe with a computer password. If your attacker has you and your device and can compel you take action, there isn’t much you can do. Like wise if the attacker has kernel mode access to the machine you’re running on you’re screwed.
I grew up doing security at Microsoft, and at the heart of their assessment model was the acronym STRIDE, see more here.
- Spoofing - Pretending to be a user. Defeating Authentication.
- Tampering - Changing data (at rest or in transit). Defeating Integrity Protection
- Repudiation - Claiming something happened that didn’t. Defeating Non Repudiation
- Information disclosure - Leak dates. Defeating Confidentiality
- Denial of service - Losing access to the system. Defeating Availability.
- Escalation of privilege - Gaining access to stuff you should be able to. Defeating Authorization.
Data flow diagrams
Automated Code reviews
Manual Code reviews
Compliance vs Security
The dirty little secret of security reviews
Going through a security review process is the way to validate security. However, as soon as the review is complete, security starts to drift, security holes start to appear, and there are no safe guards to ensure the security of the system isn’t compromised.