Beyond Facebook Tokens: Proving You are You without Tokens

On September 25th of this year, Facebook discovered that 50 million users had their accounts hacked. Hackers had exploited a vulnerability in the platform’s ‘View As’ feature to download access tokens so they could login to the accounts of other Facebook users.

 

At a pure privacy level, this compromise takes us aback for being yet another incident of Facebook’s inability to keep hackers off its platform. How many more times can we expect to see headlines showing that our favorite social network has been compromised? If we take a step back though, Facebook’s problem is emblematic of a larger challenge. The larger challenge is one all cloud-based services (think Salesforce or Google) face in ensuring the security and authenticity of those logging into their site.  And this raises the question of how do we move past the current broken process of using tokens for cloud-based authentication?

 

How access tokens compromised Facebook user accounts and much more

 
Access tokens are the equivalent of digital keys that keep people logged in on Facebook so they don’t need to constantly re-enter their password while using the app. As one engineer at PreVeil put it, access tokens are how Facebook ensures “you are you”. Without tokens, users would be required to reenter their credentials multiple times while viewing their Facebook page.

 

However, due to a bug in Facebook’s code, the “View As” feature allowed attackers to access the accounts of users whose names were entered in the “View As” box as opposed to just letting users view their profile as someone else. This allowed the hackers to access account holders’ tokens and use the account as if they were the account holder. Additionally, with these tokens, hackers could access the Single Sign-On associated with user’s Facebook accounts.

 

Facebook has told users to reset their access tokens by resetting passwords. In an article in Wired though, writers noted that “Facebook is looking into whether the access token reset is enough to prevent attackers from accessing third-parties going forward.” A respected researcher interviewed in the same Wired story says it isn’t.

 

The challenge of token-based authentication

 

From the above description we can see the challenges that face Facebook as well as any other cloud providers using tokens to authenticate users. Indeed, Airbnb had a similar weakness in their software before it was discovered through a bug bounty.  So, while tokens make life easier for end-users they simply don’t provide the level of security needed. Tokens attempt to solve the problem of ease of use since users don’t like passwords. But by giving into this user need, developers introduced significant risk.

 

The question then becomes one where we ask how can we provide ease of access without passwords? Also, how can we provide security for user accounts and provide users confidence that their accounts will remain secure and their data will not be seen by unwanted third parties?

 

Cloud services need a seamless way to securely authenticate users so that they stay secure even when the cloud providers service messes up, as was the case with Facebook. This better method of “native” authentication is provided by the use of private keys which get stored securely on user devices and only ever stored on user devices.

 

Authentication with security

 

Private keys neatly answer the question of how do you prove “you are you” without the use of tokens. When private keys are stored on user devices, the only way to ensure “you are you” is through your device. Passwords are not used. Two-factor authentication is not used. Your device (read: your smartphone, computer or iPad) that holds the private key serves as your method to authenticate your identity since you are the only one who has your device.

 

If devices are stolen, then keys can be cryptographically disabled and new keys created. However, the probability of devices being stolen is much lower than the probability of an account being hacked.

 

Furthermore, private keys obviate the need of providers having to chose between usability and security. Instead, they are able to opt for both. Private key encryption is relatively easy to implement and seamless from an end-user’s point of view.

 

If cloud-based providers showed a willingness to tie down access to their platforms more tightly through the use of private keys then many hacking attempts would be thwarted.
 

Conclusion

 

We are not naïve and thus don’t assume that Facebook will come running to use private keys any time soon. They have shown their model to be one where they want users to be able to login from anywhere in the world. However, for the numerous cloud services that can easily be restricted, the use of private key encryption is a logical step to improve security.

 

If you want to learn more about how private key encryption works, send us a message or tweet. We’d love to hear form you.