In the immediate aftermath of Facebook’s security announcement last week, much of the focus was on the implications of such a massive data breach and how much data may have been accessed. Yet, Facebook’s acknowledgement that the breach would also have allowed attackers to exploit Facebook Login to log into tens of thousands of other sites across the web and download personal data, incur fees and take other actions (though Facebook denies any logins were made) has raised many questions about the safety and security implications of Single Sign On (SSO) systems. In reality, Facebook’s security failure should not dissuade the web from moving towards more secure login processes and in many regards the increasing centralization of the web into just a handful of platforms like Facebook’s is rendering the point moot.
Single Sign On offerings like Facebook Login came into being through the recognition that our fixation with passwords has rendered the online world far too vulnerable. In theory, having a different and complex password for every site limits the fallout from a breach at any given site, but in reality, ordinary users tend to reuse the same password for every site, while the interconnected nature of the web means that a breach of one site might yield sufficient information to reset the password of another site, which in turn can help reset the password in another site and so on.
This means that in today’s online world, it is the security of the weakest site you use that governs your entire online safety.
Moreover, the vast majority of online sites that require a password do not offer two factor authentication to help secure that login. Even those that do offer some form of two factor authentication frequently rely either on highly insecure SMS text message codes or the more secure phone-based authentication apps, but few offer full hardware token integration.
Even Twitter only added hardware security key two factor authentication this past June, driving home that even the largest and highest visibility sites on the web are still just now in 2018 embracing two factor authentication. Many banks still exclusively offer SMS codes for authentication, with only the rare local bank supporting hardware keys.
Google offers its own Titan hardware security key for its two factor authentication offering. Since it began requiring all its more than 85,000 employees to use the key in early 2017, it has not had a single account breach, reinforcing the dramatic security improvement hardware keys can bring. Any ordinary Google user can purchase one and use it to secure their account, instantly adding Google-scale hardware two factor security to everything from their Gmail email to their YouTube uploads.
This is where centralized Single Sign On offerings really shine: they bring the security prowess of the top online companies that literally design their own security hardware and bring it to the masses.
Moreover, as more and more of the web is centralized inside the walled gardens of the major web companies, the question of Single Sign On or not is being rendered increasingly moot.
Of course, in Facebook’s case, hardware authentication keys would have been rendered useless since the company's bugs bypassed the authentication process, freely handing out authentication tokens like candy on Halloween.
Facebook’s breach is a reminder that our current generation of hardware security keys and two factor authentication schemes are merely a duct tape façade over the deeper problem of identity authentication and verification. Hardware security keys, no matter how advanced, are used only to verify that the person trying to log into a given site is who they claim to be. Once that verification has occurred, the hardware key disappears from the security equation: their browser is handed an authentication token and the user is now considered to be logged in and can do as they please.
In many regards, modern consumer two factor authentication is like the old “castle defense” firewall popular in the corporate world in which a company hardened its outer defenses, but once inside intruders were free to roam at their leisure.
In other words, the authentication process itself is hardware hardened, but once complete it waives the user in and lets them do as they please.
This is because consumer two factor is used merely as an anti-phishing system, rather than as an actual cryptographic identity.
In contrast, take Estonia’s national ID card system, which embeds a unique cryptographic signature on each hardware card (a SIM-based system supports mobile devices) that definitively and legally represents the user, allowing them to do everything from sign legal contracts to vote, all from the comfort of their computer using their digital signature. Estonia’s system even features two different PINs, one for websites that only require the user to prove their identity and a separate PIN for digitally signing legal documents, along with a third code for unlocking each PIN if there are two many failed login attempts.
Imagine the Facebook breach if it used a cryptographic identity system like Estonia's. The attackers would never have been able to download any data or sign in to any remote sites using Facebook Login. In short, the “breach” would never have occurred, regardless of Facebook’s security bugs, since the hardware authentication protects the entire user experience with the site, rather than merely acting as an anti-phishing tool for logins alone. Such a system could even be issued by Facebook itself, with each card uniquely identifying an individual Facebook account, rather than being tied in any way to a government identification system.
Treating hardware keys as signatures rather than anti-phishing devices does add additional friction and encumbrances to the online experience, creating the classic tradeoff of security versus ease of use. However, as the devices become more popular and better integrated into our computing workflows, those frictions should ease, eventually leading them to be entirely transparent.
Putting this all together, Facebook’s breach shouldn’t be used as an indictment of Single Sign On systems. Rather, it should remind us of the inherent insecurity of our current approach to authentication on the web. Even hardware secured two factor logins are today envisioned merely as an anti-phishing feature, rather than an actual hardware identity verification system. If sites like Facebook embraced a more holistic security and identity stance akin to that used by Estonia’s cryptographic signatures and identity verification, Facebook’s breach would never have occurred. Unfortunately, there is no incentive for sites like Facebook to improve their security stance. Even under the worse case scenario, the penalty is merely a relatively small fine compared with their earnings and some minor PR damage, but as Facebook learned from its Cambridge Analytica scandal, after a few months the economic damage fades away.
In the end, the real problem is that the social media companies don’t see our data as being as valuable as we see it. To us, a breach can be economically devastating, exposing us to fraud and endless phishing attempts, while to them, even a few tens of millions of breached accounts is just a rounding error and a few days of bad PR. Until social media companies see our data as valuable and begin to secure it like banks secure our money, Facebook’s breach will merely be the first of many.
