posted: September 26, 2020
tl;dr: Why I advised a client several years ago not to trust WeChat as an identity provider...
As I watch the current U.S. administration take action to ban WeChat over concerns about national security, I think back to three to four years ago at my prior employer, when I advised a client not to use WeChat’s social login. My advice wasn’t driven by technical issues but rather by a more important issue that is all too often overlooked in software development: trust.
The client was a prestigious U.S. university, and the web application we developed for the client provided the alumni directory for the university. After logging into the webapp, alumni could search and peruse the alumni database, viewing biographical information about other alumni that those alumni had previously chosen to make visible to their fellow alumni. A critical element of the entire system was the trust that the alumni had in their alma mater. Knowing that the system was restricted to alumni, a given alum might be more willing to share personal details than they otherwise would be on a website that was accessible to the general public.
The university had its own identity provider: a system that stores and verified usernames and passwords in order to grant access if a user provides the proper credentials. But most alumni don’t log into the alumni directory all that often, and may have lost or forgotten their university login credentials. So the university wanted to provide the ability for users to login with their username and password from other, more popular, identity providers. Facebook, Google, and Twitter are three social media services that also offer the ability to function as an identity provider; this is why you will often see “login with Facebook or Google or Twitter” on a website or webapp. We used a third party user authentication service from Auth0 (another widely used vendor is Okta) which featured built-in integrations with various identity providers, so it was easy to turn on this functionality.
Some people in the university’s alumni relations office also wanted us to integrate with WeChat, to allow users to access the alumni directory with their WeChat credentials. They noted that the university had a sizable and growing number of Chinese alumni, and WeChat is a widely used messaging service both within and outside of China. If we allowed users to log in with Facebook, Google, and Twitter credentials, why not WeChat?
I had to explain my position several times over the course of months, to various non-technical audiences. It wasn’t purely a matter of technology, although since I often get classified as a “techie”, people sometimes assume that’s the perspective from which I view the world. It was technically possible to do an integration with WeChat functioning as an identity provider. The real question, I carefully explained, was whether WeChat could be trusted as an identity provider.
There are several trust issues to consider. By delegating the user authentication to WeChat, the university would have to trust WeChat to only grant access to the appropriate users. This should be just the users who provide a valid username and password and who are authorized to access the alumni directory webapp. But in reality, the identity provider can provide access to anyone that they wish. You have to trust that the identity provider is not going to abuse their privilege and grant access to bad actors.
There are other trust issues involving the storage of usernames and passwords. You have to trust that the identity provider has the technical expertise to securely store this information so that it is never hacked. A hack might lead to unencrypted credentials ending up in the massive haveibeenpwned.com database, which has over 10 billion compromised accounts as of the time of this writing.
You also have to trust that this database of usernames and passwords is not going to be used by bad actors to try to login into other accounts. All too many people don’t use password managers and reuse the same password on multiple sites. Once a user’s password is known, that same username and password can be tried on other websites to see if it happens to work; if it does, then the bad actor gains access to that user’s account on other sites.
Should WeChat be trusted by a U.S.-based university? I am not privy to any of the details about the current national security concerns with WeChat, but there are some high-level facts which raise concerns. It’s well-known that the Chinese government does not allow regular citizens unfettered access to the Internet; it blocks traffic with the Great Firewall of China. Yet regular citizens can use WeChat; this means that WeChat operates with the approval of the Chinese government. To what extent does WeChat give the Chinese government access to the data collected by WeChat? What control does the Chinese government exert over WeChat? Who can know for certain?
As I described in my posts on outsourcing to China, one safe way to do business in China is to presume that any information provided will be copied and used for whatever purposes suits the recipient’s desires; hence avoid sharing sensitive information. By this standard, user credentials should not be stored in China. Another concern is a legal one: if a Chinese company violates a legal agreement or its own terms of service, does a U.S. entity have any legal resource in China? It’s best not to get into this situation in the first place.
I was able to convince the university not to use WeChat as an identity provider. Had they done so, there’s a good chance they might be disabling that functionality now, given the actions the U.S. government is taking.