All the Faces of Connection You Never Thought About | by Vicente Aceituno Canal | The CISO’s lair | September 2023

esteria.white

that you never thought of

Generated with Mage

Often when we think about login, we only think about the user account ID and corresponding credentials verified to provide access. In reality, there are many other controls, especially when you are in a federated or distributed environment. All of these checks are independent of each other and can be passed or failed.

The first check is whether the user account ID is genuine. If you are federated, we can check with other members of the federation whether it is known that the identifier was issued to a registered user or not.

The second check is whether the user account ID has been suspended, revoked, or active.

The third control is possession. Does the user currently have credentials? The identifier can be a password, the private key of a digital certificate, an MFA code, etc.

The fourth control is ownership. Maybe the user is in possession of the credentials, but is the user the owner of the credentials? This is the intention of programs such as Extended Validation when issuing digital certificates. This is probably the most difficult check to carry out. It is normally implemented by sending a secret to an address whose ownership cannot normally be shared and which has a cost to maintain, such as a telephone number or email address. This approach is only an approximation due to technical limitations of online operation.

The fifth check is whether the entity that created the user account is active. In a federated or distributed scenario, this would imply that issuer verification has not been downgraded. This can happen, for example, if a digital certificate was issued by a certificate authority, but the authority has been removed from the root programs of common browsers.

The sixth check, normally done last, is whether the user account ID is expired or not and whether it can be used for its intended purpose, e.g. read information, edit information, vote, sign something digitally, buy something, etc. Validity checks may include operating from an authorized device, network, location, time window, etc.

So the next time you’re designing or analyzing an identity management system, think about how exactly these controls are implemented:

  • Authentic
  • Live
  • Possession
  • Ownership
  • Active
  • Valid
Leave a comment