The Credentialed Account Provisioning Anti-Pattern

I wanted to write about this for a long time. A wait in the doctor’s office has its uses …

Here is an example scenario from the real world:

Like many schools these days, my son’s school has a website where teachers enter current assignments and grades, and students and parents like me can check on student progress. Of course, access to any one student’s information must be limited to those people who are allowed to see it, such as his teachers, the student himself and his parents. To solve this problem, at the beginning of the school year the school provisions an account for each new student, and an account for his parents, and assigns a username and a password to each of them. Then, the school prints out a sheet with the account names and passwords and hands it to the student, who is supposed to not show it to anybody and give it to his parents.

Yeah, right. If your kid is anywhere like mine, both of these “supposed to” are major hypotheses with wholly uncertain outcome.

Even if the sheet eventually reaches me, I now need to remember a new username that I don’t relate to (some funny number, the school can’t know what I usually call myself on-line) and yet another password.

Unfortunately, this anti-pattern of provisioning an account with a credential and then distributing account identifier and credential to the supposed user is very widespread. Just think of banks: “Here is your new account number and you’ll receive the PIN in the mail”. While the postal service is undoubtedly more reliable in delivering the credential to me than a middle schooler is, having the (necessarily unencrypted) credential traverse via an essentially unsecured (and unreliable) channel is the same, avoidable problem.

The solution? It’s an underappreciated feature of OpenID that allows us to turn this situation around:

Let’s say I have an OpenID; most people do these days, whether they know it or not. When my kid registers for school, I not only hand over information about my name and address and emergency contact information as I do anyway, but also my OpenID. There is nothing secret about that OpenID, so there is no problem. The school provisions the account, adding my OpenID to the Access Control List. That’s all. No new username, no new password.

Using OpenID, I now can securely access the account, nobody else can, my kid does not need to deliver any confidential information, and I don’t need to remeber any more usernames and passwords. And the school does not need to print sheets, reset passwords and help all those parents who, mysteriously, never received the sheet with the usernames and passwords because it was thrown out with the lunch wrapping paper or grabbed by some other kid when mine wasn’t looking.

Same thing for the bank. Which is more secure: letting me access my banking account with my, say, Yahoo OpenID, or sending me my password in the mail? Thought so …

Time to get rid of the credentialed account provisioning anti-pattern.


Posted

in

by

Comments

7 responses to “The Credentialed Account Provisioning Anti-Pattern”

  1. Aswath Rao Avatar

    Not directly related to the identified issue, it would be nice if schools issue (expiring) OpenIDs to their current students that can be used to exclude non-students from age appropriate web sites. We should remember that SSO is not the only use of OpenID. The other more important use is outsourcing authentication to a more reliable agency.

  2. hectorscout.myopenid.com/ Avatar

    @Johannes: Once you throw URL in there you’ve lost a bunch of people. I think it’s a little to easy for those of us who spend most of our time around others who are familiar and comfortable with technology to overestimate the technology level of the general public. That said, I fully agree that we should head in that direction but it’ll definitely be a process and not an event and for a while you’ll probably be stuck using both methods.

  3. connectid.blogspot.com/ Avatar

    As long as the channel by which you initially present your OpenID to the school/bank is secure. Otherwise the school could assign privileges to an attacker’s OpenID.

  4. Johannes Ernst Avatar

    @hectorscout: Ok, but what if the form said “Enter your MySpace or Facebook or Google profile URL here, or the URL of your blog”? They are all OpenIDs these days, so that would work wouldn’t it? As a side effect, come to think of it, it would make it really easy for a school, say, to create a Facebook group of all their parents.

  5. hectorscout.myopenid.com/ Avatar

    I love the idea (and am currently working on implementing openID in just such an educational system). However, the main problem as I see it is the or not in “whether they know it or not.” There will still be those parent who really don’t have an openID or they do but are unaware enough that it will be impossible to elicit the information from them. You’ll still end up sending out plenty of letters with usernames and passwords, maybe you should send them through the mail though :)

    Since one of our main reasons for wanting openID is to provide single sign-in with other education products (most districts have a few) our solution may be that the usernames and passwords we supply are openIDs. You can also associate multiple openIDs with your account and use which ever you wish (or remove the provided openID if you think it’s been compromised somewhere along its journey to you).

    Overall, technology is great but you have to work really hard to get the general public or education systems to use it properly.

  6. Johannes Ernst Avatar

    Dave: it doesn’t involve an (electronic) form or buttons. It is one more line on the sheet of paper (well, many sheets of papers) that I have to fill out when registering my kid at the school (or opening up an account). Just like they all now ask for my e-mail address.

  7. dkearns.signon.com/ Avatar

    And just how big a NASCAR registration form would this take? While it’s possibly true that “most people” have an OpenID (or 10) “whether they know it or not.” How do you design the form that elicits the proper information?