What is an Online Account?
An online account is an abstract concept that describes the permissions a website user is given for a service on the internet. Since humans use websites often, it's typical for them to maintain online service accounts.
What is Authentication?
Authentication in computing is the process or action of verifying the identity of a website user. It's common for the authentication of online accounts to involve passwords and other identification protocols to protect against malicious humans.
What is Authorization?
Authorization in computing is the process of providing and verifying access to resources. It's common for the authorization of online accounts to involve roles and permissions.
Account Managers are used to manage the hundreds of service accounts used for various functionalities on the internet. These account managers help store and organize credentials for a given user safely.
A popular example of an account manager is a password manager, which manages online account credentials (e.g., emails, usernames, and passwords).
Accounts are created for a specific purpose or under the ownership of a sole entity. So an ideal account management solution lets the user categorize accounts (credentials).
The service-side authentication method used by conventional online accounts requires the user to manage a set of credentials verified by the service. This behavior requires the user to manage unique login credentials for each account, each of which has full access to the service's operations.
Collaboration (Access Control)
When humans work together, an account manager must implement the underlying power structure: This requires the service to provide access controls that service accounts can use to control the permissions of other service accounts.
There are multiple models of access control, including but not limited to:
- Mandatory access control (MAC) [e.g., Admin, User, Guest levels]
- Discretionary access control (DAC) [e.g., Google Drive Permissions]
- Role-based access control (RBAC) [e.g., Discord Permissions]
- Attribute-based access control (ABAC) [e.g., AWS IAM Permissions]
Collaboration (Identity Management)
Using unique service-side login credentials for each account is inefficient when:
- Multiple service accounts must be managed together (e.g., many accounts for one service).
- Multiple services' accounts must be managed together (e.g., one person controls many services).
- Accounts must be created upon a condition (e.g. when an employee is hired).
A solution to this problem is Identity Management: User Provisioning.
User provisioning is an identity and access management (IAM) process that involves creating, modifying, and deleting service accounts. Multiple user provisioning protocols define how a user is provisioned (e.g., OIDC, LDAP, SAML, SCIM).
An Identity Provider implements a user provisioning protocol to provision users to a server (computer). This server is used to authenticate users — instead of the service — when third-party identity management is implemented at the service-level.
With this implementation, users may manage their accounts by setting up a single sign-on login credential to access several services.
Single-Sign On (SSO)
Single Sign-On (SSO) is an authentication method that uses a single login credential to access several services. You can find resources about the positive and negative aspects of SSO on the internet:
The risks of a single sign-on implementation are located at the identity provider and user levels.
- If the identity provider is breached, the hacker can provision user accounts.
- If a user's credentials are compromised, the hacker gains access to all connected service accounts.
In the worst case, a user with full permissions in the identity provider is breached. This scenario results in everything (e.g, accounts, data, code) being compromised (e.g., Uber's Hack).
Zero Trust Security
The risk of a compromised user's credentials in a single sign-on environment has led to the development of the Zero Trust Security Model. This model involves the authentication and authorization of the user, regardless of whether the user is authenticated.
Suppose you log in to a Google account from your mobile device. First, Google will authenticate your login credentials to verify that you own the account. When you attempt to access a resource (e.g., Gmail), Google will authenticate your session (device, IP, etc) again.
In contrast, a traditional security model would permit you to use Gmail even if you sent the request halfway across the world from where you logged in initially.
For more information about a Zero Trust Security Model implementation, read Implementing a Zero Trust Security Model.