Lately I’ve read and done some things around CIBA or Client Initiated Back-channel Authentication – an improvement of OpenID specification. Why to spend time into such things? Here A little bit of history, definitions and philosophy from my point of view.
Having “standards”/or philosophically – order, law/ is a good thing in the most common use cases. Their creators are idealistic in nature and try to make them very “good”, highly performant, secure and so on. Complying a standard means that you also will somehow “get” this high ground. Of course – to improve, some part of the creators must go outside of the common and to try new things and with practice – they may find something better. This is the uncommon path – the chaos. This type of fights between – the old and the new, the approved vs not approved, the known vs unknown and so on is very widespread in all areas of life – not just software.
I have seen as a programmer and as a user the both sides of the technical order/chaos coin .
Before the European Union forced a unified charging port for many types of phones and mobile devices – every manufacturer had their own chargers and adapters. This meant – rarely someone else could borrow you a charger. And if you have several different types of devices – you need a full bag of adapters – which is ridiculous. There are still few brands that produce different types of ports – like Apple, but for the majority of Android smartphones and majority of the feature phones – one charging device will probably do the work.
There was / and still / a battle for – what is the most used Web Browser. It’s good that most browsers (except again Apple) – try to keep up with the standards created by the world wide web consortium – and this creates happier developer and more satisfied users – with the ever – increasing features of the browsers.
OpenID is a set of standards and recommendations that tries to unify the way users authenticate against websites, applications and platforms. The foundation behind it is trying to include all the latest improvements around security – the latest cryptographic algorithms and protocols that promote good programming practices to keep developers at high quality and users – safe from information and data leak, brute-force logins and so on.
Today, if a software developer wants to create a login form in some third party app – job, car, product marketplace, social platform, content management system or whatever – he must integrate a private user database authentication or – use some authentication provider. There are solutions that unite different identity providers, but they come with a price. If all the big platforms – Google, Facebook, Twitter, LinkedIn, Snap-chat and so on – had a unified protocol for authentication – with code common to all endpoints – it would have been possible to create simple login integration. If you don’t use a service like Firebase, you must integrate the code of each platform and this brings pain in the ass for the developer and bad performance to the user.
CIBA is an extension of OpenID that in my opinion includes a use case for “detached” authorization – a protocol for giving a remote user permission within some custom 3rd party system – with the authentication being done through the pipes of the back-end servers - thanks to the detachment of the user login module and the transition of the world to microservices. The use cases given are – authentication during a voice call or confirming a payment or a bank operation. I personally see a lot more applications of the back-channel authorization beyond finances – maybe not exactly in its current form, but – in some similar shape.
Governments around the world are one of the biggest identity providers. If they at some point get technically better with better software – instead of writing things on paper (in Eastern Europe), or use of half century old programming language that has lack of developers (in US), the national identity could get used in a lot of places. You want to buy a car or a house – the acquisition must go through a notary person, you want to vote – a back-channel authentication could prevent faking, a local, regional or national law maker wants to pass a text that affect you – have a system of approval with some kind of CIBA, the doctor wants to write something in your medical database – give them CIBA approved confirmation, give your car to your child – authenticate temporary someone else’s software or hardware key (this is probably for the more modern cars), some social network wants to sell your data – make the big companies request your permission on each use – not just once at the beginning – very much like the run-time permission of android and iOS.
In some perverted analogy in my mind, I see similarities in the Block-chain technology – the Bitcoin as a financial implementation and Ethereum for every other use case and all the other new similar technical toys – very common – to the standards, specifications and recommendations. They even have tools in common – the cryptographic algorithms.
The problem of the the decentralized crypto things is that they are not user friendly to a mere non-technical mortal (although in many cases the abstractions are common sense), so their use has not reached desired levels. Their freedom is not liked a lot to the governments and the current systems. Also – the total freedom has its downsides – the user must secure their software and hardware keys personally.
The problem with the specifications are that they are more of a recommendations and until they are forced or have a natural big value – to the businesses, to the developers and to the users – that all actors recognize and embrace, they may not get used in practice at sufficient levels. The European Union enforced GDPR, but the implementation of the practices and the usage of the user data by the big companies is consented only at the initial phase. Once the corporations collect the permissions, they could do whatever they want with the data. The misuse is handled somehow post factum (after the event). An (enforced if must) CIBA implementation could give more control to the users and their data, but, I’ll stop here, because my imagination goes too deep into Utopian idealistic realities :)