Getting rid of ACLs
How I improved security and learned to love certificates
Imagine you’re in the queue to enter a private club; at the entrance, you show your membership card and the bouncer lets you in. The bouncer checks that the card is genuine, they don’t have access to the list of card holders and they don’t need to.
In contrast, most applications require us to identify ourselves before being allowed to use them. Most importantly, before being given access to our user data. The way the access permissions are checked is by comparing the logged in user to an Access Control List (ACL). The list contains all the users and their privileges.
Social Login is no better
When we Login with Apple, the Authentication method is different, but the authorisation method remains the same. The user still has to register and upon registration, the Apple ID is stored in the ACL of the application.
It is not your Apple ID that gives you access to the application. The application is still storing your profile, but allows you to unlock it with your Apple ID instead of a username and password.
What’s the alternative?
But Micha, I hear you say; how can an application know the permissions of each user? We have normal club goers and VIP members and we need to treat them differently.
Many applications today act as the user’s wallet. They keep our things safe for us, under the lock of a password. In real life, we keep many of our things secure ourselves: in our wallets.
We can do the same thing in our applications. Create a digital wallet for the user: the identity wallet. In this wallet the user can store all the credentials they need and present them when required. An application does not have to store all the data about its users, it can rely on the fact that the user will present their digital membership card whenever they want to use the application.
This digital wallet not being bound by physical constraints, it can store all your access tokens from all the applications you use every day or once a year. Unlocking the wallet is still done in the same way: with a fingerprint or face-id or PIN or password, it’s the user’s call. But the app does not need to communicate with a server in order to create a login credential.
The new login sequence
In the above sequence of events, the application does not need to remember who the user is; it will receive all the user details in the correct format from the credential the user presents. The details encompass the user profile and the assigned permissions.
What’s in it for me?
From an application developer point of view, it might not seem very appealing to rescind control over all the user profiles in favour of checking a Verifiable Credential that is presented every time a user connects. But there are some benefits.
Convenience
The first advantage is convenience for the user as they don’t need to remember a username and password or even which social login they’ve used. They know that the verifiable credentials they hold will be recognised.
As the developer you get more convenience too; in the form of reduced administration. There is no need to develop a User Profile page for your applications anymore. Only application specific data needs to be managed in the app. All the personal data is stored in the wallet and presented upon each login.
Security
Your application cannot leak user data anymore, for the simple fact that it does not hold any. Not attracting hackers allows you to sleep more soundly, which is nice.
Also, there is no need to enforce a stupid password policy in order to have people create secure credentials. The credentials in the wallet are secured by strong cryptography and there is no way a hacker can break that.
GDPR anyone?
The GDPR or its Californian cousin, the CCPA, are high hurdles to jump for any successful app. Not storing the identities of the users in the first place removes a major burden from the compliance checklist.
It is not a magic wand and the application developer still has to take care of tracking personal data in their accounting systems and such; but it does address a major pain point in data management.
Who’s gonna pay for it?
There are a few identity wallet projects underway already and will become mainstream soon. Governments are starting to use the wallets but so are many private enterprises. There will be no shortage of solutions; good and bad ones.
Beware of shackling yourself to a provider
Whichever solution you find best for your particular application, make sure two things are true:
- The wallet you picked implements the W3C standard for verifiable credentials
- You don’t have to pay to get users from diverse wallets authenticate to your application
If one of these is not true, you’ve been tricked into using a proprietary solution and are hostage to the development agenda of the solution provider. Paying for convenience is perfectly fine, some closed source solutions have better developer experience and offer support; but you owe it to yourself to not fall prey to unscrupulous developers who just want to make it too expensive for you to switch.
You get bonus points for using the W3C Digital Identifiers standard too.
Join the discussion
It is important to get involved, learn about the possibilities and the technology. It’s an open source community and it’s free to join. See you there soon.
