Baby Back IAM
Baby Back IAM is an identity management system that allows independent and small business web developers to quickly enable a social media neutral identity solution that does not break the bank. This software allows users to create a single account that they control, and use that account to log in to many websites.
There are other IAM providers in this space, such as Facebook and Google. They all use OpenID Connect to accomplish authentication / authorization. There are slight differences and some have issues [1][2]. The free providers mandate you have an account with them which means your identity is tied to their social media policies, and if you are at risk for de-platforming this may not be something you wish to rely on.
End users pay nothing to use Baby Back IAM. Websites pay a small monthly subscription fee to integrate. We are not selling your info or looking for ways to cram advertisements in front of your eyeballs. We make money in an honest straightforward way.
Baby Back IAM is a passwordless solution. When you register with Baby Back you will not be asked to provide a password. You will be asked for other means to identify yourself, but nothing too personal. We keep that information secret unless you allow us to share it with specific sites, allowing you to manage your privacy through what we hope you will find to be an intuitive interface.
The Trouble with Passwords
The primary difference between password and passwordless authentication is that password authentication is based on the user remembering some secret. A password is supposed to be something known only to the person it belongs to. The theory is that if you know something only you should know then showing proof you know that thing proves you are who you say you are. Once a system is confident that it knows who you are it can grant you access to the the things you want access to, provided you are authorized to access them.
Authentication and authorization are how systems keep others from accessing things like your email and bank account but allow you to access them.
Passwords worked really well in a physical space such as to be able to enter a room. Knowing the passphrase to enter a room, combined with a security guard monitoring entry was an effective security measure. The guard could intervene if someone simply sat at the door trying password after password until they guessed right.
The story changes when the thing you want access to is online. Ultimately by enabling machine to machine communication we have allowed machines to be able to impersonate humans and try to crack passwords. Passwords do not really keep up with the ability of computers to try to break into online systems. Computers can guess passwords at a rate much faster than previously done in history.
Add to this, the fact that with an online system keeping track of millions of passwords albieit “securely” creates a very valuable target for cyber criminals. Consider the passwords “Kingp!n123” and “Kingp!n345” both passwords will pass all complexity rules mandated by the Payment Card Industry DSS standard. But you can look at them and guess what the next password in the series probably is.
The Trouble with Passwords
A low budget site like your local fitness center where the security controls may be less than stellar, could leak a password that could be used to log in to your bank account. Even if they are stored as salted hashes, if you kept an old bitcoin miner busy cracking a database of stolen passwords from a soft target, that miner would probably yield more gold than if you put it to work mining bitcoin, thanks to the birthday problem.
And who says that the genius nephew who wrote the fitness center website after graduating a web design boot camp even knew what a salted hash was in the first place?
Humans are really bad at creating randomness. So when it comes to creating passwords and remembering passwords, if they’re made by humans, and humans are expected to remember them then it means they can not be very strong. Humans also tend to use heuristics and elements that they can reuse over and over. So even passwords that are created by humans that are slightly different, still tend to be pretty easy to crack.
The Trouble with Passwords
Wolfgang Goerlich, advisory CISO at Cisco Security, says: “We tell stories with our passwords. That means it’s a loved one. That means it’s a pet. That means it’s a favorite hobby. You look at Ken Thompson’s early password, which was a chess move. We look at Eric Schmidt’s early password, which was his wife’s name. We create things that are easy for us to remember — and in doing so, those are things that are easy for adversaries to guess, and once they’re out there, easy for criminals to use again and again, to log into other systems.
Complicated passwords have another negative effect, they can compromise avaiability. Avaiability is one of the three pillars of the security CIA triad. Have you ever been locked out of a system you needed to access because of an inability to remember and/or reset your password? How’s that availability working for you there?
According to the CompTIA Security+ guide:
The first factor of authentication (something you know, such as password or PIN) is the weakest factor.
The Trouble with Passwords
Maybe once upon a time when people just had one password to remember, and it was only on their computer, passwords were a pretty good defense against hacking…sort of…we have all heard stories about sticky notes with passwords being stuck to the monitor. Our brains aren’t really set up to memorize hard to guess passwords, and easy to guess passwords are worse than useless.
Think about it this way. If someone gets your car keys you will know it pretty quick. But how will you know if someone gets your password? We still think passwords can be a great way to lock down your laptop or phone, though probably not as good as an old fashioned key. In that capacity passwords have one distinct advantage; you can be compelled by law to hand over your keys, but you cannot be compelled to reveal your password…at least not in the USA the last time we checked. By the way, we’re not attorneys and nothing on this page should be construed as legal advice!
Regardless, you should only ever need to know one password. It’s hard enough to memorize ONE password, forget about ten or twenty.
WE SAY lets not use passwords. Instead, we authenticate you with two possession factors
- Your Authenticator Time Based One Time Password (TOTP).
- A passcode sent to either your phone or your email.
If your phone is locked biometrically or your email is secured with a password, then you already have two different factors on that channel.
Now here’s whats really cool! Once you log in here, any of the sites who integrate with us can automatically log you into their site by trusting us to tell them who you are because WE know who you are. THEY don’t need to know any more than you want them to. Which could mean just an anonymous user id that is different for each website we integrate with.
Web Developers!
Check out our pricing page to find out how easy and inexpensive it is to bring first class passwordless authentication to your websites. While some of you might rather spend your time writing login pages and trying to keep your website secure, rather than creating awesome websites, we think that there are others in the crowd who don’t feel like writing their own login functionality. If you are in this latter group you may want to give Baby Back IAM a test drive.