One identifier, no matter how easy to use, isn’t enough
I had two reactions when I heard about Digits, Twitter’s new identity service. The first was along the lines of “Oh cool! That makes sense!” After all, everyone has a phone number — well, almost everyone — and SMS has become the de-facto simple second channel for multi-factor authentication. Quick and easy to use, Digits makes the promise of destroying the barrier of having to come up with yet another long and complicated password.
My second reaction quickly followed. It was “Oh crap. It’s just a single-factor scheme, isn’t it?” While its mechanism that is probably somewhat more secure than most people’s passwords, Digits could be compromised by getting access to the SMS systems of a user’s cell phone provider. Not exactly trivial, but for a determined and capable attacker — or a three letter government agency — definitely not out of the question.
That thought was quickly underlined by a tweet from John Adams:
In a follow-on conversation talking about Digits, John said:
The major problem with digits is that it assumes the carrier is trustable.
Whether or not this assumption is troubling to you probably depends on what kind of data you’re accessing using the identity. If you’re securing your kitchen recipes, maybe it’s not such a big deal. For other uses, it just might a really big deal.
Another thing that John notes is that this is a major change to how Twitter has treated identity in the past. Digits allows the attachment of a Twitter identity via a single form of authentication over a weaker channel. As he writes on his blog:
This change of heart is in strong contrast to prior efforts at Twitter to shift to a strong security model reliant on custom, public-key authentication and only using SMS codes as a fall back for login (when permitted with a previously known password, passed over SSL/TLS.)
Still, the promise of Digits has merit, doesn’t it? If it helps to push the state of the art forward, wouldn’t that be something?
I found myself looking forward to seeing what other people in the identity community thought about it. Dick Hardt and Tim Bray, in particular, who have been in the trenches of the problem for quite some time, are two voices I wanted to hear from. Thankfully, it didn’t take long for Dick to post his thoughts about Digits here on Medium. He gets right to the heart of why something like this is desperately needed:
The identity problem Twitter is addressing is how the app developer knows it is the same user across multiple instances and invocations of their app. Having the user choose and remember a password associated with an email address is a barrier to adoption.
Yes, exactly! This barrier is something that I’ve been spending a lot of time thinking about at my day job. Anything to bring down that barrier—at least reduce its height—would be a welcome advancement. And, given typical password habits, using a Digits identity is probably somewhat better authentication than using an email address with a password like “orange” or even an obfuscated one like “p455w0rd”. At least you take a lot of script kiddies using rainbow tables out of the potential set of attackers.
From an application developer’s point of view, it’s mighty tempting to grab onto a solution that at least elimates the worst problems.
The core premise of Digits, at least as I first understood it, is that it exchanges something you know—a password which can be complicated and secure, but usually isn’t—with something you have in the form of your mobile phone. Is this a good exchange to make? It’s certainly an improvement if you or your users have a habit of using crappy passwords.
There’s another thing to consider. Identity schemes which rely on an email address and password and which allow resetting the password by email aren’t actually as strong as the best password you can come up with. They’re actually only as strong as your control over your email address, as Dick notes in a comment above.
So, maybe it’s better to say that Digits actually proposes to replace proof of control of an email address with proof of control over a mobile phone number.
As an aside, I think is the easiest misconception to make about Digits is that its use of random digits over SMS means that it’s as secure as when you add random digits over SMS as a second factor to your Google account.
Don’t let the digits fool you. Yes, seeing 284932 provides an immediate association with the multi-factor authentication you’re probably used to. The concept of MFA, however, is that you need to have more than one form of evidence of identity. To put it simply, any single form of identity — whether that be a username and password or a Digits account—is not as reliable a signal as multiple forms of identity. By increasing the number of forms of identity you look at, even simple ones, you get a better signal.
Even better is when those multiple forms of identity have different attributes, summed up by the “something you know and something you have” principle present in many MFA discussions.
Ok, so whether or not Digits is great is a question yet to be answered. However, it should be clear that while it aims to replace email as an identity, it’s not going to be as secure as we need accounts to be these days for any non-trivial uses. To do this right, we still need MFA.
Do we win if we combine Digits with proven ownership of an email account, accomplished by sending a link or other token? Maybe. Maybe not. If you have access to someone’s phone, then you probably have access to both their SMS messages and emails. On the other hand, an attacker compromising transmission channels would have to compromise both. So at least there’s that.
Probably the best MFA solution to use with Digits will still be one-time password generators like Authy or Google Authenticator. But neither of these give you the better security of something you have and something you know. To do that, you need a PIN or password—one which can’t be reset by email.
There’s one more question to ask: Will Twitter replace their current password scheme with Digits as their core authentication method?
I’m really curious. My bet would be no.
If that is indeed the case, why didn’t Twitter just market Digits as an awesomely easy way for you to enable MFA in your own applications that leverages their infrastructure and identity system? That would have been pretty great in my book.
My own bottom line: Digits just might be a nice addition to the identity ecosystem. We’ll have to see. I may indeed take advantage of it as a second factor. It shouldn’t, however, be used a solution in and of itself unless the data protected is trivial. No single system should be.
Updated many, many times after initial publication based on feedback and discussions. In particular, the feedback from both John and Dick — many thanks for your time and comments! — have been great in the evolution of this article. Any errors or opinions that remain contrary to their thoughts are my own.