Industry insights

Considerations when using open source to build an identity system

Susan Morrow
October 18, 2022 by
Susan Morrow

I remember when open source was a new way of thinking about software development; I believe I first heard about open source in the late 1990s, maybe early 2000s. Back then, open source was innovation writ large; in 1997, Debian created The Debian Free Software Guidelines (DFSG) contract that formed the framework for using open source software. Open source has exploded since, according to Statistica, 21 million JavaScript projects were available worldwide in July 2021. 

Identity systems, however, are often complex; some citizen identity services, a specific type of digital identity, can take years to design and deliver. So, any help to get these projects off the ground is welcome. But are open source projects suitable for identity systems?  

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

What is an identity system and why are they so complicated?

Digital identity is a large and complex area of technology. A digital identity is many things to many people and to try and encapsulate it in a sentence would do it an injustice. However, it is some way to identify a person when they perform a task, for example, prove they are over 21 to purchase a bottle of wine at an online retailer or offer a level of assurance that an individual is who they say they are to access a government service, and so on. 

The notion of a digital identity covers many subareas, these include citizen identity (as mentioned above), consumer identity, and enterprise identity. However, many of these areas converge and an employee may use an identity from their consumer life in the workplace, in some instances -- this is known as Bring Your Own Identity (BYOID). An area of identity that is emerging is decentralized identity, sometimes called self-sovereign identity. Suffice to say, the identity space is so complex because there are many use cases that it needs to cover. It is this complexity that means that developers often turn to open source to help build an identity system that fits their specific needs.

Where digital identity gets complicated

However, digital identity is where security and usability dovetail. Digital identity is a valuable commodity, and that is not lost on cybercriminals. Digital identity's human-computer interface is key to opening many potentially vulnerable junctures that hackers exploit. Account Takeover (ATO) is one area where the exploitation of identity is burgeoning. In 2021, there was a 148% increase in ATO attacks. 

One of the things that makes digital identity complicated is that there isn't so much an 'identity system' as a myriad of identifying methods and components that comprise an identity ecosystem. The components that make up an identity system include some or all:

  • Identity providers (IdPs) — e.g., existing identity services, banks, etc.
  • Identity orchestration services help to connect components together and handle protocols
  • Attribute sharing services 
  •  Self-sovereign wallets
  • Attribute wallets 
  • Mobile passes
  • Authentication services (including biometrics)
  • Rules engines that modify the ecosystem behavior
  • Communication systems such as email and SMS handling
  • Data analytics 

Identity, as such, involves bringing many of these components together under an ecosystem umbrella. Building usable services that deliver optimal experiences for humans and computers requires designing and developing flexible architectures and secure code. The user experience of identity systems adds another layer for consideration: to help build ecosystems, identity services typically conform to open standards that ensure interoperability.

The designers and developers of an identity service must decide to use off-the-shelf or open source, or a mix of both, to deliver an interoperable, secure identity system that delights the users of that service.

What open source identity management solution should I use?

Open source projects cover a wide area of functional needs in the identity arena. Some of the components and functionality of an identity system that open source projects can help with include:

  • Single-sign-on (SSO)
  • Wallets
  • API and third-party program management 
  • Email handling
  • RESTful frameworks
  • Forms to capture personal data
  • Plugins and CMS for account management and administration dashboards
  • Data analytic dashboards
  • DevSecOps monitoring and alert systems

There are several dedicated companies or organizations that supply open source identity projects. Some examples:

  • Modular Open Source Identity Platform (MOSIP): an open-source modular platform to deliver citizen identity projects
  • Hedera Hashgraph DID SDK for Java: an open source project hosted on GitHub
  • Inrupt: manages an open-source community supplying APIs to build apps and ‘pods’ (Solid); pods contain identity attributes
  • OpenIAM: an open source identity management platform
  • WS02: a vendor that provides an open source customer identity and access management solution (CIAM)
  • Open Identity Platform: supplies various open source identity projects, including SSO (Single-Sign-On)

Considerations when using open source software for identity systems

There is usually a downside where there is an upside, and open source for identity is no exception to that rule. Because of the complex nature of identity systems, open source offers developers ready-made solutions to functionality needs and support for the various protocols used in identity services. However, when exploring open source options, organizations must consider these vital areas carefully:

Security: security considerations are inherent and ubiquitous across identity system components, from the user interface to backend API access. Software vulnerabilities exist as much in open-source projects as in commercial software. Developers using open source software must identify any known vulnerabilities before using the code. Snyk publishes a yearly report into open source code flaws that can help locate known vulnerabilities. The Synk report describes the security issues when using open source: "the more loosely structured and community-focused nature of OSS development presents a more challenging environment for addressing software security.”

Spaghetti code and quality: open-source projects are crowd-developed by their very nature. This can lead to spaghetti code: a mass of ongoing code development that is not well-formatted or optimized. Spaghetti code is hard to work with and can add more work to a developer's load rather than reduce it. Code reviews of both internal and open source code are crucial in ensuring that the quality of your code is up to scratch.

Staying the course: open-source projects may be transient. Your codebase may need longer-term access to an open source project, but if the community leaders decide it can no longer be managed, they may abandon the project. If this happens, be prepared to take over and develop your code or create new software code.

Further open source considerations

Open source does not mean you push a button and magically have an identity system. Open-source code can be used to help develop an identity service. Still, some core considerations exist in its use:

Design and architecture: choose suitable modules that work for your specific identity-based needs. This means focused design goals before you start to locate code.

Interoperability: identity systems have multiple moving parts; if you use various functional components, ensure that these are interoperable.

Configuration of components: a configuration file is usually needed for each open source component. These configuration files require someone who understands the system behavior and design remit.

Future-proofed: identity needs to change over time, and even user journeys need updating. Assess the adaptability and future-proofed capability inherent in the open source code.

Code reviews: are regularly needed to locate problems, including usability, interoperability, code optimization, security vulnerabilities, etc.

Licensing: open source does not necessarily mean a free for all. Check out the Open Source Initiative for advice on licensing open source.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Using open source to build an identity system

There are many moving parts when developing any identity-based system; they include privacy considerations, security, and usability. Using open source software to provide some or all functionality when creating an identity service can help close a skills gap and offer developers a helping hand in getting complex identity systems into production. But open source is not a simple choice. Designers, architects, and developers must choose open source options wisely and consider the complexities inherent in identity ecosystems.

 

Sources:

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.