Mozilla IAM and Low Integrity Authentication


(Henrik Mitsch) #1

In recent sprint review posts, you might have come across the term Low Integrity Authentication, a new capability of Mozilla IAM.

Identity on the Web

Identity theft on the Web is today’s reality. Building an access management system for Mozilla’s communication, collaboration and contribution systems, we aim to make it:

As a consequence, we rely on two-factor authentication (2FA) to secure identities for our sites and applications.

Large Audience Sites Don’t Rely On Your Identity

There are Large Audience (Contribution) Sites such as SUMO, MDN web docs, L10N, and Common Voice. These sites do not rely on a contributor’s identity. Instead there are programmatic contribution validation measures in place.

Programmatic Contribution Validation

The image below shows some examples of programmatic contribution validation measures. These include, but are not limited to, crowdsourcing, trusted reviewers, hierarchies of trust.

Allow for Friction-less Contribution Experience

Today, none of the Large Audience Sites sites is using Mozilla IAM, mainly because two-factor authentication would negatively impact their contribution funnel.

Moving forward, we enable the adoption of Mozilla IAM by allowing people to authenticate with identity providers that are not necessarily their most secure. For example, you might want to use passwordless email instead of your 2FA’d Firefox Account to login to a contribution site.

So we came up with a decision flow which relies on 2FA by default (orange), while allowing for one-factor authentication (1FA) in specific cases (green). We call this 1FA route Low Integrity Authentication.

Pilot on Common Voice

This concept is going to be piloted with Common Voice . It has recently landed on our staging systems where we are currently validating experience and functionality.

We are happy to hear you thoughts. Is this post helpful? How can we better explain this concept? Does it look promising? Any other comments?


Alternatives to Github for Authentication
(Spike) #2

Am wondering if wiki.mozilla.org has been considered?


(Henrik Mitsch) #3

Hi @spike1,

Great question!
I’d guess on wiki.mozilla.org we would want to have regular 2FA authentication rather than Low Integrity Authentication, right? Either way, feels like our conversation from maaaany months ago on hooking up Mediawiki via OIDC stalled. Should we give this a go again? If yes, let’s open a thread in #iam, ok?

Best regards,
Henrik


(kang) #4

Hi!

When you say, large audience sites don’t rely on user identity, but instead on programmatic contribution validation - you mean that we don’t rely on who you are, but we do rely on the knowledge that you’ve contributed in the past, correct?

If so, we do still rely on your identity (or one of your identities) - we just don’t rely on you being Mozilla Staff or things like that.

I think the model is otherwise sound (you only use 1FA if you make no contributions that we consider to put us at risk if your identity (!) were to be compromised).

In the last diagram i would make it clear that the path of “programmatic contribution validation” only gives you 1FA in certain conditions (“crow validation” or “pull request review that isn’t a review or merge” or “hierarchy of trust that isn’t a reviewer”). Maybe there’s a way to word that in succinctly, perhaps such as: “is the user performing a high-trust operation?”


(ExE Boss) #5

I have opened bug 1488474 to add IAM support to MDN.


(Henrik Mitsch) #6

Hi @kang,

thanks for your perspective. Very valuable, as usual!
I will reply in reverse order.

Yeah, you found a bug. The master slide had it different. When it was beautified, a copy&paste error seems to have sneaked in:

I will adapt the master slides and replace the above image.

Actually, there are cases where we don’t need to know about somebody’s past contributions.

As an example, let’s take a person that decides to show up with a different identity every time they contribute to Mozilla (e.g. record an audio clip on Common Voice, translate a Firefox string). The contribution systems (Common Voice, Pontoon) have programmatic measures in place to validate/integrity-check these contributions, independent of the contributor’s identity.

Hope this makes sense?

Best regards,
Henrik


(kang) #7

makes sense :slight_smile:


(Megan Branson) #8

Great catch indeed @kang – my mistake re: ‘mandatory 1FA’; copy/paste error. Should indeed be ‘1FA Allowed’ as @hmitsch mentioned.


(Henrik Mitsch) #9

@mbranson @kang reporting back on our pending item: I finally fixed the 1 FA Allowed wording and updated the image in the post above.

-Henrik