OneID Executive Summary: Trustable Identity Service
Provider
Short summary:
OneID is the
only trustable consumer-provisioned federated identity on the Internet
today. It is analogous to what a Passport or driver’s License is in the real
word in that it is a single identity, trustable by any third party.
Existing
approaches to identity are hard to use (have to remember username/password).
Existing
approaches are not secure (subject to mass password breach attacks as
well as phishing, malware, keyloggers, etc). 50% of users use the same
password on all websites and only 1% of users use 2FA because it is too
cumbersome to use. If you don't use the same password on all site, it
creates massive usability or security issues (file of your passwords
exposed).
More
importantly, today's federated identities such as Facebook, Yahoo, Google,
Twitter, etc. and are not trustable because your identity can be asserted
without your consent if 1) someone changes the wrong line of code at the
identity provider or 2) a hacker breaks in and learns the password file at
any website with your password (since most of us use the same password
everywhere). This is a fundamentally flawed system architecture. For
example, due to a coding error, Apple recently made it possible for anyone
to assume anyone else's AppleID. Can we guarantee that won't happened ever
again? Absolutely not!
OneID is
different and important because it uses a completely new architecture for
the identity. It eliminates shared secrets, stores crypto secrets that
are required to authenticate a user on the user's own devices, and builds
trust into the architecture and end-to-end secure protocols (not operational
policy) so that it is no longer possible for his identity to be asserted to
third parties without the specific consent and involvement of the user
himself.
In addition,
even you you know my email and OneID password, you cannot log into my OneID
account. So even if my OneID password matches the same password I use
everywhere on the Internet, if that password becomes know, all my existing
accounts can be compromised, but my OneID cannot be (because it is tied to
the crypto secrets on authorized devices, not to a password).
OneID is easy
to use, and secure and can be used for information sharing, validating
digital claims (such as “I am over 21”), authentication, and authorization,
including multi-factor authentication and step-up authentication.
OneID is an
ideal way to login, authorize transactions, share information, update
information, and prove digital claims.
Longer summary:
Our current
identity system is broken. It is inconvenient and insecure. 10% of users
never remember their passwords and have to go through the reset process
whenever they log into a site. Almost 50% of people use the same password on
all sites. 75% of people are frustrated to very frustrated with
authentication. 46% frequently or very frequently abandon transactions due
to authentication problems.
The problem is
that there are no solutions either available or proposed that will solve
these problems. If you can solve it, the implications are huge.
This is why we
started OneID: to solve these problems and more.
The reason we have so many usernames and passwords is
because nobody trusts anyone else. That's justifiable since most companies
have been breached, including the US Federal Reserve. If you are breached,
the identities that you claim to be an authority for are no longer
trustable. So we have a situation that forces people to create identities
everywhere. Every day, for every user, it gets worse and worse, as they
create more and more accounts.
The only way
out of this mess is to create a trustable identity provider network. This
allows us to replace all the usernames and
passwords we have with a single authentication point. And it provides much
more trust than today's proprietary identity providers (i.e., each
individual website) because mass breaches (such as stolen password files)
are completely eliminated.
No one has
accomplished this important goal except OneID. We are the world's only
trustable consumer-provisioned federated identity provider network.
OneID has
created an identity architecture where the
architecture itself (and not operational policy) guarantees that the
identity is trustable. An attacker inside OneID could not assert
someone's identity) and mass breaches are not possible. Once you
have a trustable federated identity system, you can then have a single
identity you can use for all sites.
OneID also
provides an identity that is nearly impossible to breach. For example, I can
tell you my username, password, PIN code, give you access to my email, my
laptop, and complete access to the OneID servers (where you can change the
code and read and write all the files), tell you the answer to every
security question, and even armed with all that information you cannot
authorize a transaction as me. There is nothing else that comes close to
that level of security. And OneID doesn't sacrifice convenience either. When
I log into a site, I can do so with just a single click.
To create a
trustable federated identity, OneID uses public key cryptography (elliptic
curve cryptography) and specialized protocols to prove to a site that it is
the user without sharing any secrets with the site. We also store 3
different private keys for the user in three different places (two in
different user devices and one at OneID) to prevent single point of
compromise attacks on the user's devices and OneID servers. The relying party requires at least two digital
signatures which are verified against 2 or 3 public keys on file for
the user at that site. Each site has a different set of public keys for each
user to preserve privacy.
OneID can be
used for login, sharing information, and authorizing transactions. It can be
used on-line, over the phone, and in-person. It is similar to facebook
Connect, but it preserves user privacy, it can do more things (it is more
than just login), it provides three higher assurance security levels, it
uses existing devices, it doesn't require a download, it is nearly
impossible to compromise, it is consumer provisioned and managed. Most
importantly, unlike any existing consumer-provisioned identity, the identity
asserted (using public key cryptography between the user's browser and a
relying party) is trustable. That means that the identity provider cannot
assert a user's identity. This is because OneID generates and stores
identity secrets on the user's devices and not in the cloud. Therefore, the
identity cannot be asserted to a relying party without direct consent and
involvement of the user's device(s). So OneID facilitates the identity
transaction directly between the user and the relying party instead of the
more traditional (and insecure) approach in use today where the assertion is
made from the identity provider (which can be mass compromised) to the
relying party. So simple, secure, easy to use identity (login, form fill,
authorization) suitable for use by both high and low assurance sites. There
is nothing else like it on the Internet today.
A starting point for being able to solve the problems with
identity on the Internet is an easy-to-use cloud consumer identity
provider that all websites will trust. Without that, we are stuck with
individual usernames and paswords.
There are many
requirements for a trustable federated identity
provider. The most important requirement is very simple: there must be no
way that a user's identity can be asserted without the user's express consent.
Can you name a trustable identity
provider that meets this requirement? We couldn't. Nor could any CIO or CSO we
talked to (and we talked to over 300 of them). That's why we started OneID.
We believe that OneID has the only system architecture in the world today that can make that claim.
Our system architecture and end-to-end secure protocols ensures a user's privacy and security, not
our operational policy. No usernames. No passwords. Your identity can never be
asserted without your express consent. Single-click login, form
fill, information sharing. 1-click checkout at e-commerce sites without typing.
If you break into the OneID servers, you can't assert someone's identity or
decrypt their information. Personally identifiable information (PII) that is
never stored on your devices (even in encrypted form!). Two-factor in-band and
out-of-band authentication and authorization. 2FA that is as convenient as 1FA.
Stolen devices disable themselves without any user intervention. Five different Levels of Assurance
(LoA) settable by users and RPs. LoA set on per device, per RP, and per
transaction basis. End-to-end security. No shared secrets. NSA Suite B crypto.
Two entirely separate classes of user devices, each with their own set of crypto
secrets. Secrets at endpoints. Account recovery requires two factors including a high entropy secret
that is never stored (or seen) by the OneID servers (OneID can never send
you a "reset" your password link). Compliant with NSTIC
principles. A permanent identity
that can never be compromised or lost. As easy for a consumer to use as Facebook
Connect, yet far stronger security than RSA SecurID (and without the token).
Runs on all modern browsers without requiring a download. Integrates into most
websites in less than 3 hours. Available now. In the same way the
iPhone revolutionized how we think of mobile phones, OneID will do the
same for identity. These documents explain the OneID story.
OneID is arguably the most important
innovation to happen in the identity space in the last 50 years because it
provides the first truly viable alternative to the 50-year-old username/password
authentication paradigm. OneID allows, for the first time, individuals to
obtain an easy to use, truly secure, trustable third party identity that can be
used at multiple relying parties. This identity is more trustable than the
identity systems that you are using now, whether they be a federated identity or
your own identity system. The era of bring your own identity (BYOI) has finally
arrived.
Alternate Executive Summary
The current authentication methods
just no longer work: security breaches happen on a regular basis, too many
passwords to manage, and now we are making things more complex with 2FA which
adds more complexity, but does mitigate phishing and keylogging. My sister
recently had her Yahoo account compromised. She changed her password and ran a
malware checker. She asked me, “So how do I know it is safe to log into my bank
or PayPal?” I said, “You don’t.”
Nothing we have today changes that.
OneID is fundamentally important
because it is, by far, the best technology to replace the use of shared secrets
for authentication. Once OneID is set up on your computer (which can be as easy
as typing a non-shared secret password or as fast as scanning a QR code), then
OneID is both easier to use and manage, and more secure than any other solution.
So the major breakthrough of OneID is
creating an identity that is easy to use, federated, and “trustable.”
The first two were easy and there are
lots of examples (facebook, google, etc). Adding trustable was the hard part.
Trustable means:
• Elimination of all shared secrets (including password, PIN, private keys,
secret keys). These paradigms are still used, but never as shared secrets.
• Protocols that ensure end-to-end security (including device pairing and
transactions)
• Multiple layers of authentication (4 layers)
• Security on both the user side and RP side
• Preservation of privacy (no PII stored on the user’s device or decryptable in
the cloud, directed identity, etc.)
• Control: your identity cannot be asserted without your consent (i.e.,
participation of your devices)
• Highest possible identity assurance (immune to Eurograbber, etc)
• No single point of compromise with multiple, low-probability of success
compromises required to compromise an identity
Today, there is not a single consumer
identity provider (federated or dedicated) that is “trustable.” None are even
close. That is the significance of what we’ve done here. We’ve created the
world’s first and only trustable, consumer-provisioned federated identity and
crypto experts have validated our claims.
We are aligned with the sound
principles outlined in Google’s “Authentication at Scale” (IEEE Security and
Privacy, vol. 11 (2013), pp. 15-22), but have gone even beyond that. We are also
compliant with all NSTIC principles.
OneID documentation guide
|