Given the reality that passwords at best are a deeply flawed form of security, many organizations have embraced the OpenID Connect, an authentication protocol built on OAuth, as a way to verify user identity without having to rely on a password. Rather than issuing passwords to end users, they rely on OAuth to connect to a third-party service such as Twitter or Facebook to verify an end user’s identity. Now the Internet Engineering Task Force (IETF) is considering a draft proposal that would unify the way tokens are exchanged using OAuth.
Brian Campbell, distinguished engineer for Ping Identity, a provider of single sign-on and identity management software, says one of things that is holding back expanded usage of lighter-weight OpenID Connect an OAuth services is that every vendor that implements it can define in their own way how tokens should be passed back and forth. The end result is a lot of unnecessary complexity that stems from the fact that IETF has not defined a specific mechanism for the sharing of those tokens.
Once that issue gets addressed, Campbell says usage of OpenID Connect as an alternative to issue every user a separate password for every site they visit should accelerate. The goal is to make it simpler for users to invoke additional Web applications and services without having to keep track of a seemingly endless stream of passwords. Arguably, one of the biggest problems with passwords today is that most end users opt to reuse slight variations of the same password across multiple sites. It doesn’t take much effort for cyber criminals to work out what that password is, which in turn winds up giving them access to almost every Web application or service that password is being used to access.
In general, OpenID Connect is more secure because end user credentials are never shared between sites. Each site that makes use of OAuth to authenticate an end user only receives a token via the Connect application programming interface (API). The other major advantage is that it eliminates the need for most IT organizations to have to manage and secure all those end-user passwords. Naturally, some organization such as Twitter or Facebook winds up being the master repository of identity on the Web. But that’s far preferable to every organization building a password repository that increases the attack surface through which end-user credentials can be compromised.
In fact, because of all the management overhead associated with protecting those passwords, many IT organizations that don’t really need to own a central repository for passwords in the New Year would be well advised to resolve once and for all to finally get out of the password management business altogether.