Re: [PLUG] Password manager OneLogin hacked

[Rich Freeman <r-plug@thefreemanclan.net>]

On Mon, Jun 12, 2017 at 8:54 AM, Matt Murphy <mattyhead@gmail.com> wrote:
> Well, I'm glad, following review of said discussion, that I went with
> Keepass.
>

I feel like I'm talking to myself, but Keepass doesn't do what OneLogin does.

Keepsass is a password manager.  I get that there are pros and cons to
cloud based password managers and my intent isn't to rehash that
debate.

My point is that OneLogin is an IAM provider.  This is more like
personal data being stolen from Gmail or Facebook, which are also IAM
providers (though that isn't their main purpose).  This isn't about
stealing your emails or social media posts, but information like your
name, phone number, and so on - identifying information.

It sounds like OneLogin has the ability to store notes which some
people use as a password manager, but that isn't really their main
product.

IAM providers provide identity management.  If you have some website
where people can register for accounts (like a forum) with a bit of
code you can let people log in using Google, Facebook, OpenID, and so
on.  This lets users bypass the login page if their browser already
has authenticated with the IAM provider, and it saves your website the
trouble of trying to figure out if the person registering is a real
person, using their real name, using a valid email, and so on.

Now, sure, Gmail and Facebook don't provide much actual service around
identity management, and OpenID is just a protocol so that provides
nothing since anybody can create such an ID.  They do provide the
seamless login functionality.

Commercial IAM providers are more geared towards businesses and
usually do provide real identity management.  If you're doing serious
work there is value in letting somebody else verify government IDs and
deal with password resets, and if you're the person getting the
account you get some benefit in that you can use the same credentials
to log into any client website that uses the same IAM provider.  IAM
providers can also form trust networks.  For example, if some other
large corporation uses the same IAM provider that my employer uses
then I can potentially just go visit an external website hosted by
that partner corporation and get in without seeing a login screen.

I think people are so focused on "Lastpass is evil" or whatever that
they're missing that this is a different type of service, with
different types of risks.

The data compromise certainly isn't harmless.  The personal info of
anybody whose identity is being vouched for is potentially
compromised.  It wasn't clear whether any credentials were actually
stolen.  However, keep in mind that the trust model is a bit different
with IAM.  With IAM the user signs in with the IAM provider, and then
the IAM provider has separate credentials with the services being
accessed.  Those services could if necessary invalidate the one IAM
credential and lock out anybody using that IAM provider or data stolen
from them.  It isn't like a password manager where you have no idea
which of your users were using that password manager.  However, the
IAM provider could also just disable all the compromised accounts and
re-issue credentials in a secure way, and that would prevent any
exploit of downstream services, because the stolen credentials can
only be used with the IAM provider itself.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug