Identity Security Venn
Is OAuth Impersonation a Feature or Threat?
"But the plan won't accomplish anything
If it's not implemented"
-Doug Martsch, Built to Spill
This week saw two important docs released from the Financial API group at OpenID Foundation (links below) - a security profile for high security applications using OAuth framework and importantly an attacker model for OAuth 2.0.
The combined set of specs show important guidance for looking at how identity protocols are attacked and how we can defend them better. This makes these documents a useful antidote to “we use (Oauth/SAML/OIDC), we’re secure.”
To security engineers, we think of impersonation as a threat, after all Spoofing is the “S” in STRIDE. But for identity protocols like OAuth, impersonation is a benefit - it makes access easy and simple, you told us to improve user experience, right?
With attacker rigs getting better and better, we live in a world where security engineers need to be next level thinkers.
Not just:
build threat models for applications and systems,
find countermeasures to mitigate threats
Instead we need to keep going:
threat model what are the ways the countermeasures will be attacked and how to defend against those?
Because Identity is fundamentally an integration technology, to cross borders and connect things, identity protocols are front and center in attacker’s sights. Put it all together and the combined effect of security teams striving for least privilege and identity protocols making simple and easy as possible means defending account takeover an industry wide challenge. That is what makes the FAPI security specs so helpful to the industry.
One of the challenges with defending identity protocols is that the solutions are disparate and mostly disconnected from each other, so they do not play to the traditional strengths of Infosec teams which tend to focus more narrowly. Instead, the idea of defending OAuth applications means looking across the whole stack from user device, to phishing, to network controls, to server configs, to application controls (CSRF and the like), and so on.
In today’s world, these are all discrete effort and there is not a place to go to harness and monitor all these challenges. Charlie Munger liked to say that you have to understand your circle of competence, and if you cannot define the edges and borders of your competency then it is not a competency. The work that groups like the FAPI team is so useful not because it has all the answers for security teams that have to defend identity protocols, but because it shows the protocol limitations and those can be used to upgrade identity protection, detection, and response.