Considerations when using open source to build an identity system
I remember when open source was a new way of thinking about software development; I believe I first heard about open source in the late 1990s, maybe early 2000s. Back then, open source was innovation writ large; in 1997, Debian created The Debian Free Software Guidelines (DFSG) contract that formed the framework for using open source software. Open source has exploded since, according to Statistica, 21 million JavaScript projects were available worldwide in July 2021.
Identity systems, however, are often complex; some citizen identity services, a specific type of digital identity, can take years to design and deliver. So, any help to get these projects off the ground is welcome. But are open source projects suitable for identity systems?
Should you pay the ransom?
What is an identity system and why are they so complicated?
Digital identity is a large and complex area of technology. A digital identity is many things to many people and to try and encapsulate it in a sentence would do it an injustice. However, it is some way to identify a person when they perform a task, for example, prove they are over 21 to purchase a bottle of wine at an online retailer or offer a level of assurance that an individual is who they say they are to access a government service, and so on.
The notion of a digital identity covers many subareas, these include citizen identity (as mentioned above), consumer identity, and enterprise identity. However, many of these areas converge and an employee may use an identity from their consumer life in the workplace, in some instances -- this is known as Bring Your Own Identity (BYOID). An area of identity that is emerging is decentralized identity, sometimes called self-sovereign identity. Suffice to say, the identity space is so complex because there are many use cases that it needs to cover. It is this complexity that means that developers often turn to open source to help build an identity system that fits their specific needs.
Where digital identity gets complicated
However, digital identity is where security and usability dovetail. Digital identity is a valuable commodity, and that is not lost on cybercriminals. Digital identity's human-computer interface is key to opening many potentially vulnerable junctures that hackers exploit. Account Takeover (ATO) is one area where the exploitation of identity is burgeoning. In 2021, there was a 148% increase in ATO attacks.
One of the things that makes digital identity complicated is that there isn't so much an 'identity system' as a myriad of identifying methods and components that comprise an identity ecosystem. The components that make up an identity system include some or all:
- Identity providers (IdPs) — e.g., existing identity services, banks, etc.
- Identity orchestration services help to connect components together and handle protocols
- Attribute sharing services
- Self-sovereign wallets
- Attribute wallets
- Mobile passes
- Authentication services (including biometrics)
- Rules engines that modify the ecosystem behavior
- Communication systems such as email and SMS handling
- Data analytics
Identity, as such, involves bringing many of these components together under an ecosystem umbrella. Building usable services that deliver optimal experiences for humans and computers requires designing and developing flexible architectures and secure code. The user experience of identity systems adds another layer for consideration: to help build ecosystems, identity services typically conform to open standards that ensure interoperability.
The designers and developers of an identity service must decide to use off-the-shelf or open source, or a mix of both, to deliver an interoperable, secure identity system that delights the users of that service.
What open source identity management solution should I use?
Open source projects cover a wide area of functional needs in the identity arena. Some of the components and functionality of an identity system that open source projects can help with include:
- Single-sign-on (SSO)
- Wallets
- API and third-party program management
- Email handling
- RESTful frameworks
- Forms to capture personal data
- Plugins and CMS for account management and administration dashboards
- Data analytic dashboards
- DevSecOps monitoring and alert systems
There are several dedicated companies or organizations that supply open source identity projects. Some examples:
- Modular Open Source Identity Platform (MOSIP): an open-source modular platform to deliver citizen identity projects
- Hedera Hashgraph DID SDK for Java: an open source project hosted on GitHub
- Inrupt: manages an open-source community supplying APIs to build apps and ‘pods’ (Solid); pods contain identity attributes
- OpenIAM: an open source identity management platform
- WS02: a vendor that provides an open source customer identity and access management solution (CIAM)
- Open Identity Platform: supplies various open source identity projects, including SSO (Single-Sign-On)
Considerations when using open source software for identity systems
There is usually a downside where there is an upside, and open source for identity is no exception to that rule. Because of the complex nature of identity systems, open source offers developers ready-made solutions to functionality needs and support for the various protocols used in identity services. However, when exploring open source options, organizations must consider these vital areas carefully:
Security: security considerations are inherent and ubiquitous across identity system components, from the user interface to backend API access. Software vulnerabilities exist as much in open-source projects as in commercial software. Developers using open source software must identify any known vulnerabilities before using the code. Snyk publishes a yearly report into open source code flaws that can help locate known vulnerabilities. The Synk report describes the security issues when using open source: "the more loosely structured and community-focused nature of OSS development presents a more challenging environment for addressing software security.”
Spaghetti code and quality: open-source projects are crowd-developed by their very nature. This can lead to spaghetti code: a mass of ongoing code development that is not well-formatted or optimized. Spaghetti code is hard to work with and can add more work to a developer's load rather than reduce it. Code reviews of both internal and open source code are crucial in ensuring that the quality of your code is up to scratch.
Staying the course: open-source projects may be transient. Your codebase may need longer-term access to an open source project, but if the community leaders decide it can no longer be managed, they may abandon the project. If this happens, be prepared to take over and develop your code or create new software code.
Further open source considerations
Open source does not mean you push a button and magically have an identity system. Open-source code can be used to help develop an identity service. Still, some core considerations exist in its use:
Design and architecture: choose suitable modules that work for your specific identity-based needs. This means focused design goals before you start to locate code.
Interoperability: identity systems have multiple moving parts; if you use various functional components, ensure that these are interoperable.
Configuration of components: a configuration file is usually needed for each open source component. These configuration files require someone who understands the system behavior and design remit.
Future-proofed: identity needs to change over time, and even user journeys need updating. Assess the adaptability and future-proofed capability inherent in the open source code.
Code reviews: are regularly needed to locate problems, including usability, interoperability, code optimization, security vulnerabilities, etc.
Licensing: open source does not necessarily mean a free for all. Check out the Open Source Initiative for advice on licensing open source.
Phishing simulations & training
Using open source to build an identity system
There are many moving parts when developing any identity-based system; they include privacy considerations, security, and usability. Using open source software to provide some or all functionality when creating an identity service can help close a skills gap and offer developers a helping hand in getting complex identity systems into production. But open source is not a simple choice. Designers, architects, and developers must choose open source options wisely and consider the complexities inherent in identity ecosystems.
Sources:
- Debian Free Software Guidelines (DFSG), Debian
- Number of open source projects and versions worldwide 2021, by ecosystem, Statistica
- Taking an Identity Selfie – Self-Sovereign Identity and the Blockchain, Infosec
- The How and Why of Account Takeover Attacks, Infosec
- Bad Bot Traffic, CardNotPresent blog
- Modular Open Source Identity Platform (MOSIP)
- Hedera Hashgraph DID SDK for Java
- Inrupt
- OpenIAM
- WS02 open source CIAM
- Open Identity Platform
- State of Open Source Security 2022, Synk
- Open Source Initiative