Authentication and Authorization Are Broken

DZone 's Guide to

Authentication and Authorization Are Broken

Authentication and authorization are broken. Check out this article to learn more about how Facebook and Google are getting AuthN and AuthZ wrong.

· Security Zone ·
Free Resource

AuthN/AuthZ is broken on the Internet. Over the past few years, both Google and Facebook have made remarkable strides in becoming de-facto authentication and authorization hubs for the Internet. Google wants everyone to have a Google account for authorization, so they can collect all your info and use it to target advertising. Facebook wants everyone to have a Facebook account because they want all your data to sell to others. Personally, I don't want to be forced into either position, but Google seems to be the most palatable. Though honestly, everyone already has Facebook accounts, even if they haven't ever logged in (search for "Facebook shadow profiles" to see what I mean; there are too many references to list here).

So fine, I mean, it's not like anybody's willing to pay for this kind of AuthN/AuthZ service. Though, I already pay for extra Google storage. I'd pay an extra buck or two a month if they didn't suck up all my data,. But, I think I'm in the minority.

As annoying as this is, it isn't the worst part. The worst part is that it doesn't work anymore.

I was teaching a course a few days ago, and I stored a video from one of my students on Google Drive. I expected to be able to log into Google Drive and download the video to the shared computer — which is what I tried to do. I navigated to Google Drive using an incognito browser instance and logged in. I did use the correct credentials. Well, Google wouldn't log me in — it wanted to send me a PIN to my phone. No problem! This is a cybersecurity course, anyway, so hey! Look at the Prof using two-factor auth! So, I texted a PIN and entered it into the browser.

My account was then frozen for the next four hours.

Apparently, Google decided that even though I used the correct credential AND received the PIN on my cell phone, it still wasn't me. I understand that phone numbers can be cloned; email addresses can be spoofed; passwords can be stolen. But, all of these? That's not likely. And, if you have aspirations to be the world's AuthN/AuthZ hub, you can't wait four hours to get in touch with me. You need to do it immediately.

Google (and Facebook) need to do better than this. Let's be honest — Facebook is already on very shaky ground with their lackadaisical data sales and security token management. But, if you want to take on this kind of role, you have to have good security practices and take care of your customers, too.

authentication, authorization

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}