Stepping Towards a Password-Free World

eBay Identity has taken an ambitious goal of killing passwords for eBay users once for all. However, killing passwords is not a trivial task, as users have been using passwords as a primary authentication mechanism to access e-commerce and financial websites over the past 20+ years.

Even with the advent of multi-factor authentication (MFA) mechanisms like one-time passwords (OTP), voice, touch, and face, passwords still prevail as the primary factor for authentication. The adoption rate for these MFA mechanisms is still not substantial, which helps us to understand that users are not comfortable moving away from passwords. We’re aiming to make a password-less experience one that users feel comfortable using, while keeping their trust.

eBay Identity’s core strategy is “Seamless when possible, friction when needed.” As part of this journey toward providing seamless access to eBay users without passwords, we launched Google Sign-In for Android last year. We even open sourced “Universal Authentication Framework (UAF),” a component mainly focused on password-free authentication working with FIDO Alliance. We also enabled Touch ID and Face ID on devices that supported them as soon as they were launched.

The user on-boarding experience becomes a key factor in realizing this ambitious vision of removing passwords. Because the legacy on-boarding service was running on a monolithic SOA service that was built in 2005, we were not able to make rapid changes to the on-boarding experience. We were crawling when we were supposed to fly. To change the way a user on-boarded with eBay, we had to be on a platform that supported quick Live to Site. So, we took up the task of creating a new user on-boarding service, using latest coding standards, that can facilitate seamless on-boarding of customers to eBay. We recently launched the new on-boarding service live to the customers.

User lifecycle at eBay

UserStateDiagram

Service overview

The on-boarding service is a state-of-the-art RESTful service that focuses on exposing a portfolio of service operations aimed at managing the complete user life cycle within eBay. We hear about password breaches every day, which reiterates the requirement of sufficient risk checks during account creation.

At eBay Identity, we embed security and risk detection at every phase of user state management. The on-boarding service integrates with various components and microservices, which helps provide seamless access to the user and add friction when needed. Let’s take a look the various components involved in making the service seamless and secure:

  • Device Profiling

  • RateLimiter

  • SMART

  • Buyer Risk Detection and Remedy

  • Offline Risk evaluation

  • Session creation

Architecture

Architecture

Orchestration

The service is a combination of a domain service and an orchestration service. The service takes care of all aspects of security and risk by integration with a bunch of microservices. Given microservices integration, parallelizing tasks becomes a key to have a robust service-level agreement (SLA) on the service. The Raptor Orchestration framework comes to the rescue to support both parallelizing and managing dependencies across multiple services.

Key components

Device profiling

We run device profiling as part of on-boarding, and feed in the device signature details to Risk systems. These device signature details are used during subsequent sign in and transaction flows to validate the user authority. Device information is one of the key signals to the risk system in detecting and preventing ATO (Account Take Over) for the user.

Ratelimiter

Like all other commerce OS services, the onboarding service is also protected by OAuth. To prevent distributed denial of service (DDOS), the on-boarding service is well-protected by multiple layers of rate limiters using our new rate limiting system, Shield. This guarantees throttling traffic based on IP and applications invoking the on-boarding service. Apart from these security measures, we also have client-based whitelisting for the service and whitelisting even at the individual operation level. This means that only specific clients can request specific operations.

SMART

Project SMART (Stopping Mass Registration At near Real Time) is aimed at stopping DDOS and other BOT attacks while on-boarding users. Every account that is created in eBay goes through a SMART risk assessment system, which runs a whole lot of velocity checks against user attributes and device signature attributes. If the SMART system flags an account during on-boarding, then the account creation might be blocked or a challenge issued. This challenge is usually a captcha, but this can be enhanced in the future.

Verification

Every user trying to onboard with eBay is also subjected to a risk check. As a part of this process, information such as the IP of the machine, useragent of the browser, etc., is used in assessing the risk level of the account as HIGH or LOW. Based on this risk level, all HIGH risk users will be either blocked or challenged with email, phone, and or credit card verification to confirm their identity. The user will be on-boarded only when this verification step is complete.

Session Creation

After account creation, the session for the new user is also provided for by the service, as it returns either cookies or a token. The cookies returned by the service can be directly used by the clients to create a web session for the newly created account. The token, encoded with user credentials, can be used by mobile clients to create a session in native applications.

Whats next?

Given that the new state-of-the-art on-boarding system gives us the ability to run, now it's time to spread our wings and fly. Social sign up is the next big step in the on-boarding experience charter. Social sign up focuses on delegating authentication to social websites. Another big stride in account management would be the ability to handle sub-accounts. A clear separation between an account and a login provides many opportunities to explore.