OneLogin Breach traced back to AWS Key Compromise

Earlier this week password vault service OneLogin detected unauthorized access to its data. OneLogin CISO Alvaro Hoyos posted Wednesday:

“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident.”

OneLogin later posted an update:

“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”

Securing AWS is complicated. There are a large number of possible roles and permissions which, if configured incorrectly, could lead to unintentional key and data compromise. An Engage Identity Cloud Security Audit can help your company understand the most secure cloud configuration for your needs. No one currently knows how OneLogin’s AWS keys became compromised, but it is entirely possible that they were exposed due to a misconfigured permission.

If you were affected by the OneLogin breach, you will be notified, and you should change all your passwords immediately.  Despite this breach, password vaults are still the best way to ensure that all your passwords are long, random, and unique. “It is significantly easier to attack targets who use the same password everywhere,” says Benjamin Caudill, Founder of penetration testing company Rhino Security Labs. “We recommend that all of our clients utilize password management services, even after this incident.”

In addition to password management services, your accounts can be further protected with implementation of two-factor authentication. This is one of the many services provided by Engage Identity. If you’d like to learn more, contact us right away.

Sovrin Foundation Partnership

The Sovrin Foundation and Engage Identity are proud to announce a new partnership. Security experts from Engage Identity will be completing an in-depth technical review of the Sovrin Foundation’s entire security architecture.

The Sovrin Foundation is a private-sector, international non-profit that was established to govern the world’s first self-sovereign identity (SSI) network. It exists to provide the human governance and trust frameworks to ensure the integrity of a distributed permissioned network. The Sovrin Foundation is designed to establish trust through transparency, diffusion, and neutrality.

It is essential that the advanced technology utilized by everyone depending on the Sovrin Foundation’s framework is secure. That technology protects many valuable assets including private personal information and essential business data. As a result, it is critical that the Foundation is fully aware of risks and vulnerabilities in the framework. In addition, The Sovrin Foundation would benefit from having a roadmap for future security investment opportunities.

Engage Identity is a leader in the security and identity industry. Established and emerging cryptographic identity protocols are one of our many areas of expertise. We have extensive experience providing security analysis and recommendations for identity frameworks.

The Engage Identity team is lead by Sarah Squire, who has worked on user-centric open standards for many organizations including NIST, Yubico, and the OpenID Foundation. Sarah will be joined by Adam Migus and Alan Viars, both experienced authorities in the fields of identity and security.

The final report will be released this summer, and will include a review of the current security architecture, as well as opportunities for future investment. Anticipated subjects of in-depth research are:

  • Resilience to denial of service attacks
  • Key management
  • Potential impacts of a Sovrin-governed namespace
  • Minimum technical requirements for framework participants
  • Ongoing risk management processes

Both The Sovrin Foundation and Engage Identity are excited to take this new step forward together to ensure that the future of self-sovereign identity management can thrive and grow.

“Move Health Data Forward” Challenge Winners Announced

mhdfc_logo_01I am a judge for Health and Human Service’s “Move Health Data Forward” challenge. I’m very proud to announce that the Phase I winners have been chosen! Each winner will use their $5,000 reward to implement prototypes based on the HEART OAuth and UMA profiles that Engage Identity has contributed significantly to over the last few years. Two of these projects will eventually go on to win a total of $75,000 to help take their products to market. Here are the Phase I winners:

  • TrustedCare and ARM: TrustedCare and ARM aim to develop devices that enable patients to interact with multiple providers in a secure, authenticated and auditable manner—helping to improve coordinated care in accountable care organizations by using open standards.
  • CedarBridge Group LLC: The CareApproveTM solution allows consumers to consent to share their health information with their health care providers from their smartphone and optionally to choose which sections of information may be shared with a given provider.
  • EMR Direct: EMR Direct’s HealthToGo™ service aims to facilitate the deployment of applications that can integrate patient data from multiple data holders through software that supports scalable deployment of APIs.  This will enable consumers to manage sharing of their health information, and improve the accessibility of patient health data.
  • Foxhall Wythe LLC: Docket™ optimizes patient-health care provider communication by empowering mobile users to securely maintain their critical health information and authorize the transmission of that information to trusted care professionals.
  • kreateIoT, Technatomy, & Koncero: The solution provides individuals with the power to both access their health information electronically and also actively direct their health information’s flow to help make informed decisions through a browser on a laptop or mobile application.  The team is using Substitutable Medical Apps Reusable Technologies (SMART) and Fast Healthcare Interoperability Resources (FHIR) to create a secure way of sharing sensitive patient data.
  • Lush Group, Inc.: The Lush Group’s HealthyMePHR system allows patients to import their health information from their primary care provider’s electronic health record (EHR) system, define how it is shared with others, and authorize electronic access.  Additional features will accelerate patient clinical data sharing on a patient-by-patient basis.
  • Live and Leave Well, LLC: Live and Leave Well is an end-of-life planning platform designed to help individuals create, manage and share end of life plans using API technology.
  • SpunJohn Consultants, LLC: MedGrotto gives patients an easy, simple and secure platform to store and access their complete health record while sharing with their providers and/or surrogates with fully customizable access levels from any device, anytime and anywhere.
  • Thoughtkeg Application Services Corporation: is an enhanced patient portal web application that uses modern web technologies for front-end design that is responsive to users and enables patients and their proxies to control the movement of their health data.
  • Resilient Network Systems, Webshield & SAFE Biopharma®: Resilient Network Systems partnered with WebShield Inc., SAFE-BioPharma, Carebox and InterSystems to create a solution that gives consumers the ability to conveniently access and share their own health records on demand.  The solution will demonstrate a unique nationwide capability to conveniently verify a consumer’s identity, locate and electronically request a consumer’s records, and deliver them to a secure cloud-based personal storage service.

Find out more about the challenge in the official announcement from HHS.

What’s Happening at the OpenID Foundation?

The OpenID Foundation is a standards developing organization. They promote, protect and nurture the OpenID community and technologies. They meet twice a year in fall and spring. These are the highlights of their Fall 2016 meeting.

OpenID Connect

Right now the group is working on logout protocols. There are three approaches being considered: session management, front-channel logout, and back-channel logout.  They are also working on new forms of OpenID Connect interoperability testing. OpenID certification enables OpenID Connect implementations to be certified as meeting the requirements of defined conformance profiles.  Right now you can only certify an OpenID Connect provider, but the ability to certify OpenID RP libraries and instances is coming soon.


Why aren’t SaaS app providers federating identity management? It’s hard, and other apps don’t support it. Today federation can take hours, days, or weeks. FastFed is going to create highly prescriptive configurations for SAML, OIDC, SCIM, and OAuth so that federation can be accomplished in minutes. Ideally an IdP admin can paste in metadata, answer some questions, get redirected to the app, answer a few more questions, get redirected back to the IdP, a few tests are run, and federation is complete.


HEART is profiling OAuth, OpenID Connect, and UMA for the healthcare vertical. They are focused on patient-driven use cases. They are making two sets of specifications – mechanical specifications to enable security and interoperability, and semantic specifications that adapt each protocol to the healthcare field and specifically the FHIR standard.


MODRNA stands for Mobile Operator Discovery, Registration &  autheNticAtion.  GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. MODRNA was created to support this evolution. Members include people from the OpenID community as well as mobile carriers.  They are working on three standards – MNO discovery, set up of credentials, and authentication requests.

Enhanced Authentication Profile

This working group defines how to do token-bound OpenID Connect ID Tokens. This binds the ID token to the user’s TLS session so that it cannot be replayed out of context. There is a version of OpenSSL that supports token-binding that Google is looking at open sourcing.


iGov is looking at how the HEART mechanical profiles can be used in a government context. They are also looking at hubs and proxies and how they can be used to enable and/or prevent blinding. In common-law countries, commercial IdPs are acting as identity providers for governments. In other countries, government identities are used by the private sectors. Some are a hybrid of the two.

Account Chooser

Account chooser is a user interface that allows users to easily see and choose from accounts they have logged in with before. A website can request to use account chooser, and if the user consents, the user’s existing accounts can easily be displayed without the website having any previous knowledge of the user’s external accounts. Google has proposed a re-charter to rename the project Open YOLO (you only login once). They would like to expand the scope to include a password manager interaction and actual code libraries.


RISC (Risk and Incident Sharing and Coordination) working group came about a couple of years ago after there was a big credential spill on the internet and many gmail accounts were compromised.  When an email account is compromised it can be used to reset the password any account for which it is registered as a recovery address. Email providers need a way to broadcast that an account has been compromised and shouldn’t be used elsewhere for account recovery.  There is also value in sending an event if a user resets a password or if an email account is recycled to a new user.

Financial API

Many financial data aggregators use credential replay and screen scraping. This working group is attempting to specify APIs that financial service providers can be interoperable. They are approaching this goal in two parts: part one is read-only, and part two is read/write.  Possible APIs would be accounts, customers, products, and error codes.