|
OneID compared to Facebook, OpenID 2.0, SAML2
Here is a table summarizing the differences between the
traditional approach to identity and OneID’s approach:
|
Feature |
Traditional IdP |
OneID |
|
Trustable |
No.
There is basically
not a single trustable third party consumer IdP. That is why each site
is its own identity provider. |
Yes, no mass breach
possible since secrets on individual user devices. Passwords from other
sites are insufficient to crack a OneID account because it is device
centric. OneID will be announcing a large number of well known brand
names that need a trusted identity provider that will be relying on
OneID identities as the only third party identity provider. |
|
Offers high
assurance options |
Most do not. Some
offer a few options but they are so hard to use that few people use
them. |
All OneID providers
support the full range of high assurance, yet easy to use,
authentication and authorization methods. Users can bring their own
devices. |
|
End-to-end security |
No |
Yes |
|
Account lock out |
Yes |
No. We only disable
those devices that are compromised and we also give you the ability to
re-enable them yourself |
|
Pre-authorize device
before first use |
No |
Required. This is
fundamental if you want to create a secure identity. It takes a few
extra seconds, but it is the key to creating a secure identity system. |
|
Personal information
is stored in the cloud and can be decrypted by the identity provider |
Yes. The decryption
keys are all held at the IdP and so they can view all your personal
information at any time |
No. There is no way
anyone can read your information because the decryption keys are kept on
your devices. |
|
Privacy |
There is no privacy.
The IdP knows all your attributes and if you use this IdP for OpenID
connect, they know where you’ve been as well. |
OneID knows nothing.
Not where you’ve been, not any of your attributes. This is guaranteed in
the design. All your attributes are decrypted on your device(s) using
crypto secrets that are only on your devices. |
|
Controls |
User has virtually
no controls on his identity. He basically just has a username and
password. He can change his password. That’s about it. |
User has an enormous
amount of control over his identity at the device level, web site level,
and per transaction level. |
|
Password standards |
Varies. |
None. You choose the
password you want. Users love this. You can have a blank password and
nobody will be able to break into your account without access to your
devices. |
|
Impact of password
breaches |
If any site is
broken into where you used a password that you use at other sites, all
those other sites are at risk. |
If someone learns
your OneID password, they cannot log in as you because they don’t have a
pre-authorized device. Password breaches are a non-event because OneID
never uses passwords to log into any OneID supported sites. |
|
Shared secrets |
The fundamental way
you log in, even though shared secrets are extremely insecure |
Eliminated. OneID
replaces shared secrets with NSA-approved asymmetric crypto. |
|
Device types |
One. |
Two: access and
control. This provides much better security at minimal inconvenience. |
|
2-factor login |
Rarely supported or
used |
Fundamental to our
security and easy to use, but it is only invoked when requested by the
user or the RP. |
|
2-factor out-of-band
login |
Not available |
Available on every
account |
|
Secrets needed to
compromise an identity |
One |
Six. |
|
Phish immunity |
None. If you are
fooled into typing in your password into the wrong place, kiss your
identity goodbye. |
Phishing won’t work
even if the attacker learns your password and PIN. This is because the
attacker must have one of your devices as well, and phishing never
provides that. |
|
Physical theft of
devices |
In most cases, your
browser remembered your passwords. Kiss your identity goodbye. |
Your browser doesn’t
cache your password because it is in a javascript pop up. All high value
assets are protected by two factor authorization. |
|
Malware on a device |
Kiss your identity
goodbye |
All high value
assets are protected by two factor authorization. |
|
Identity assertion |
Asserted by your IdP.
This means that the IdP can very easily use your identity without your
permission (bug, malicious use, or attacker). |
Your identity is
asserted by your devices. Your IdP cannot assert your identity without
your express consent. |
|
Security |
Neither RP or user
can set the level of assurance. |
RP and user can set
the level of assurance on device login, site login, and transactions. RP
can set the LoA on a per transaction basis. |
|
Mass breaches |
Happen regularly.
Very damaging because your shared secrets are exposed. You have to
change your password everywhere. |
A non-event. A mass
breach at an RP site reveals public keys which is useless to an
attacker. A mass breach at a OneID repository reveals fully encrypted
data. |
|
Database is
crackable |
Yes, if the
databases at any identity provider is breached, all the information is
crackable, including databases at LastPass, etc. |
No, the databases at
RP and OneID aren’t crackable because high entropy decryption secrets
are stored on the user’s devices, out of reach of the attacker. No brute
force attacks will work. |
|
Decryption keys |
Held at the IdP.
Based on your low-entropy password as the key (shared secret). |
Encryption is based
on secrets with 256 bits of entropy held on the user’s device.
Asymmetric crypto with no shared secrets. |
How does OneID differ from Facebook Connect?
They are similar, but there are many key differences:
1.
OneID was architected from scratch to solve the key problems with digital
identity. Facebook Connect was an afterthought to a social network to make it
easier for sites to leverage a user’s Facebook account.
2.
OneID primary mission is to provide secure digital identities. Facebook’s
primary mission is to be a social network.
3.
OneID is open: anyone can be a OneID identity provider. Facebook is
closed: the only company that can assert a Facebook Connect identity is Facebook.
4.
OneID protocols are end-to-end secure. Facebook’s are not.
5.
OneID was architected from scratch to be user-centric (so only the user
can assert his identity and not a central server), to preserve privacy (OneID
knows nothing about users beyond their email address), and provide security.
Facebook Connect is an add-on to a conventional identity provider and has none
of these attributes.
6.
OneID provides users many more functions and more control over their
identity and keeps it secure.
7.
OneID can do end-to-end secure payments where the payment card
information is never given to the merchant. A second benefit is that only the
card issuer and the user know that a purchase was made by the user: the OneID
payment gateway knows only that a transaction happened, but not who made the
transaction, preserving privacy.
8.
OneID can only be used if the device is pre-authorized. This is because
the crypto secrets are kept on the user’s devices. Facebook can be used from any
device because the authentication is done between the user and Facebook. This is
susceptible to mass breaches and situations where a user’s identity can be
asserted without the user’s consent.
9.
You can switch your OneID provider at any time. If you decide to close
your facebook account, you will have to figure out how to log into each of the
accounts you used your Facebook account with.
10.
Facebook is pretty insecure. 600,000 Facebook identities per day are
compromised.
Can’t I get the same benefits using Google or Facebook as my identity
provider?
Here are some differences:
1.
OneID is a pure identity provider. Google and Facebook are doing identity
as a feature. Identity should be independent from email, social networking, etc.
The primary reason people are using facebook and Google as identity providers is
lack of a viable alternative and not because they are desirable identity
providers.
2.
OneID provides strong identities that cannot be breached by any common
attack (phishing, malware, physical theft). Google and facebook identities are
easily breached by these attacks and centralized attacks on other IdPs where the
same password is used. 600,000 facebook identities per day are breached, for
example.
3.
OneID provides a stable for life universal identifier (like a social
security number) that certifications can be tied to. Facebook doesn’t have an
identifier (that anyone would know) and Google uses an email address as an
identifier that forces people to have an email account for life and every time
you give out your identity, you are allowing people to spam you.
4.
You are never locked out of your OneID account, but you can be locked out
of a device if it is lost or stolen. By contrast, you can be locked out of your
google or facebook accounts.
5.
OneID uses asymmetric crypto for identity assertions and digital claims.
These are all signed by the user. Google, facebook, etc don’t use asymmetric
crypto at all for anything.
6.
OneID identity assertions are end-to-end secure and provide several
levels of assurance. Google and Facebook assertions are IdP centric, susceptible
to mass breaches.
7.
Google and Facebook provide a single level of assurance in almost all
cases (for all practical purposes). With OneID, both the RP and user can set the
minimum LoA on a per transaction basis to an appropriate level for that
transaction.
8.
OneID provides better usability, as well as much better security,
privacy, and controls.
9.
OneID preserves privacy: it knows nothing about the user beyond their
email address.
10.
OneID allows user choice. If you want to switch where your identity is
stored, you can do that without impacting any other part of the system. With
Google and Facebook, you are locked in to a single vendor.
11.
Google and Facebook rely on password security. Would you feel comfortable
sharing your username and password with a stranger? With OneID, you can share
your username, password, and PIN with an attacker and still not be concerned
that your identity can be breached.
OneID vs. OpenID 2.0 and OpenID Connect
OneID is a network of identity providers all of whom
support the same functionality and protocols for authentication, authorization,
information sharing, and digital claims. There is a specific way to integrate to
a website in a way that is supported by all OneID identity providers. End-to-end
secure login and transactions are fully specified.
By contrast, OpenID Connect is only a protocol for allowing
websites to accept identity assertions from certain identity providers who
support the OpenID protocols. Each IdP in OpenID has completely different
functionality. The UX is still under development for how to accomplish login in
a way that is not confusing to users.
If all you need is a low-assurance login, then OpenID
Connect is an option. OneID is looking at supporting OpenID 2.0 (see
OneID interoperability).
But if you need anything more than pure low-assurance
login, then OneID is a better choice. OneID provides high assurance
transactions, secure information sharing without privacy issues, and secure
transactions.
|
|
OpenID Connect |
OneID |
|
Protocol
specification for login |
Yes |
Yes |
|
Provides identity
services |
No. OpenID is not an
IdP. OpenID is just a protocol allowing legacy IdPs to be used at
websites. |
Yes. OneID is an
identity provider itself. OneID licenses code so other companies can be
OneID identity providers. |
|
High assurance login |
Up to each IdP to
support in different ways. Few do. There are no OpenID IdP providers
that support 2-factor out of band. Each website has to decide on which
IdPs to accept. |
Fully supported by
all OneID IdPs in the same way. All support two factor out of band
authentication and authorization |
|
End-to-end security |
Completely
unspecified for how to accomplish this. Because this isn’t specified,
the RP has to trust the representation of the IdP. |
Fully specified
protocol for login and transactions. RP is getting a crypto assertion
directly from the user’s device. The IdP can’t change anything. |
|
Potential for
massive identity breaches |
Identities at every
OpenID provider have been compromised. Every OpenID provider relies on
shared secrets so there will continue to be mass breaches. |
Uses a new
pre-authorized device model where secrets are put on each device so mass
breaches cannot happen because the attacker lacks the crypto secrets
needed to do anything. |
|
Authorization |
No specified way to
do authorizations. You can use OpenID Connect or Oauth2. There is no one
way. There is no specification for doing a secure transaction. |
One well specified
way to do authorizations and secure transactions. |
|
Privacy |
Every participating
IdP has all your personal details (name, age, social security number,
address, email, etc) including what websites you visit.
The RP will know who
your identity provider is. |
Every participating
IdP has none of your personal details since this is encrypted using
encryption keys on your device.
OneID cannot know
what websites you’ve been on because OneID is user centric; the user
device is the only device talking to OneID, not the RP. That also means
that the RP can’t know your identity provider; only that is a OneID
provider (because it is using the OneID protocol).
You cannot be
tracked since each website is given a different set of public keys
(opaque identifiers). |
|
Security |
Varies with the IdP
but generally very low |
Better security than
the best OpenID provider. And the RP can rely on, and leverage, the
security of OneID, e.g., the RP can specify the minimum LoA on any
transaction. |
|
Ease of use |
We don’t know
because it isn’t in broad use anywhere. |
Very easy to use.
Release in October. |
|
NSTIC compliant |
None of the IdP
comply with the basic NSTIC requirements |
All OneID IdPs have
the same architecture and so all comply with the NSTIC requirements |
|
RP interface |
Each RPs must decide
which IdPs to support. So a user is forced to having multiple IdPs if he
uses multiple websites. |
All websites
supporting OneID support all OneID IdPs. A user need only have a single
OneID IdP and it can be used on any website supporting OneID. |
|
User experience |
Still confusing but
getting better with the Account Chooser. This is a very difficult
problem to solve since OpenID has to work with every IdP and each IdP is
so different. Some people think this problem is unsolvable. There are
many unsolved problems. For example, on a new computer, all of your IdPs
are gone making it very difficult to log into sites. User has to deal
with maintaining identity at multiple identity providers. |
Uniform user
experience. It is much easier to design a UX when every IdP works the
same. Users have only one IdP to manage their identity. |
|
Standards for each
IdP, e.g. support of attributes, two factor, etc. |
No. Just the API to
do basic authentication. |
Yes, all
functionality for identity, authN/Z, info sharing, digital claims,
secure transactions is specified and uniformly supported |
|
Login |
Upon login to a
site, user must pick which IdP to use. |
No confusion. There
is just a single OneID login button. No having to choose a provider.
Once the device is logged in, you can go to any website and login with
just a click. |
|
Secure credit card
transactions |
Unspecified. Not
supported anywhere. |
Fully specified and
universally supported. |
OneID vs. SAML2
SAML is a protocol to talk to an Identity Provider and
an RP. It leaves a lot of configuration for the user to decide and manually
enter on each RP. OneID makes this all very easy. No configuration, instant
provisioning and federation. See OneID
interoperability for a description of our virtual SAML2 server.
See also
Requirements for a
trustable cloud identity provider.
For more information see:
OneID documentation guide
|