Mozilla IAM and Low Integrity Authentication

r_Up2mI1KfXvmSMPkEfhC6eg · September 11, 2018, 10:04pm

In recent sprint review posts, you might have come across the term Low Integrity Authentication, a new capability of Mozilla IAM.

Identity on the Web

Identity theft on the Web is today’s reality. Building an access management system for Mozilla’s communication, collaboration and contribution systems, we aim to make it:

As a consequence, we rely on two-factor authentication (2FA) to secure identities for our sites and applications.

Large Audience Sites Don’t Rely On Your Identity

There are Large Audience (Contribution) Sites such as SUMO, MDN web docs, L10N, and Common Voice. These sites do not rely on a contributor’s identity. Instead there are programmatic contribution validation measures in place.

Programmatic Contribution Validation

The image below shows some examples of programmatic contribution validation measures. These include, but are not limited to, crowdsourcing, trusted reviewers, hierarchies of trust.

Allow for Friction-less Contribution Experience

Today, none of the Large Audience Sites sites is using Mozilla IAM, mainly because two-factor authentication would negatively impact their contribution funnel.

Moving forward, we enable the adoption of Mozilla IAM by allowing people to authenticate with identity providers that are not necessarily their most secure. For example, you might want to use passwordless email instead of your 2FA’d Firefox Account to login to a contribution site.

So we came up with a decision flow which relies on 2FA by default (orange), while allowing for one-factor authentication (1FA) in specific cases (green). We call this 1FA route Low Integrity Authentication.

Pilot on Common Voice

This concept is going to be piloted with Common Voice . It has recently landed on our staging systems where we are currently validating experience and functionality.

We are happy to hear you thoughts. Is this post helpful? How can we better explain this concept? Does it look promising? Any other comments?

Spike1 · September 3, 2018, 7:08am

Am wondering if wiki.mozilla.org has been considered?

r_Up2mI1KfXvmSMPkEfhC6eg · September 3, 2018, 9:36am

Hi @spike1,

Great question!
I’d guess on wiki.mozilla.org we would want to have regular 2FA authentication rather than Low Integrity Authentication, right? Either way, feels like our conversation from maaaany months ago on hooking up Mediawiki via OIDC stalled. Should we give this a go again? If yes, let’s open a thread in #iam, ok?

Best regards,
Henrik

kang · September 4, 2018, 1:37pm

Hi!

When you say, large audience sites don’t rely on user identity, but instead on programmatic contribution validation - you mean that we don’t rely on who you are, but we do rely on the knowledge that you’ve contributed in the past, correct?

If so, we do still rely on your identity (or one of your identities) - we just don’t rely on you being Mozilla Staff or things like that.

I think the model is otherwise sound (you only use 1FA if you make no contributions that we consider to put us at risk if your identity (!) were to be compromised).

In the last diagram i would make it clear that the path of “programmatic contribution validation” only gives you 1FA in certain conditions (“crow validation” or “pull request review that isn’t a review or merge” or “hierarchy of trust that isn’t a reviewer”). Maybe there’s a way to word that in succinctly, perhaps such as: “is the user performing a high-trust operation?”

ExE-Boss · September 4, 2018, 3:56pm

I have opened bug 1488474 to add IAM support to MDN.

r_Up2mI1KfXvmSMPkEfhC6eg · September 5, 2018, 2:44pm

Hi @kang,

thanks for your perspective. Very valuable, as usual!
I will reply in reverse order.

Yeah, you found a bug. The master slide had it different. When it was beautified, a copy&paste error seems to have sneaked in:

I will adapt the master slides and replace the above image.

Actually, there are cases where we don’t need to know about somebody’s past contributions.

As an example, let’s take a person that decides to show up with a different identity every time they contribute to Mozilla (e.g. record an audio clip on Common Voice, translate a Firefox string). The contribution systems (Common Voice, Pontoon) have programmatic measures in place to validate/integrity-check these contributions, independent of the contributor’s identity.

Hope this makes sense?

Best regards,
Henrik

kang · September 5, 2018, 2:59pm

makes sense

mbranson · September 6, 2018, 7:33pm

Great catch indeed @kang – my mistake re: ‘mandatory 1FA’; copy/paste error. Should indeed be ‘1FA Allowed’ as @r_Up2mI1KfXvmSMPkEfhC6eg mentioned.

r_Up2mI1KfXvmSMPkEfhC6eg · September 11, 2018, 10:06pm

@mbranson @kang reporting back on our pending item: I finally fixed the 1 FA Allowed wording and updated the image in the post above.

-Henrik