Ford is terrible at credential management (PAAK rant)
In general I like my Ford Mach-E (or Mustang Mach-E, or MME, or whatever), but every now and again I run into a rough edge because Ford is really bad at technology. Today’s rough edge is in how they manage credentials for the Phone As a Key (PAAK) feature. For those who aren’t familiar, PAAK lets you use your phone as a key fob. It’s great, every car should offer that; needing to carry a fob feels so last decade 😛.
The rough edge appears when you need to deauthorize a key, and you don’t have the mobile device that has the key installed on it. This might sound like an edge case, but hear me out, it’s not. People lose their phones. People get their phones stolen. People hard reset their phones without thinking about whether they have their old phone enrolled in PAAK. There’s also a hostile actor use case, but that’s probably less common (use a valet code instead).
Lets talk about how Ford’s PAAK works. I can enroll, probably give some kind of certificate, but let’s call it a key, up to four mobile devices. Each of these mobile devices controls their own enrollment on the device itself. The only way to deenroll is to delete the key on the device that has the key. I can’t delete anyone else’s key, and neither can Ford. The only way to deenroll a key for a device that you don’t have access to anymore is to deenroll all the keys. Who designs a credential/identity system like that?
I understand, kind of, that a user couldn’t deauthorize a key for another device from the FordPass app. There probably should be some kind of superuser account that makes it possible to do that in the car or something. There is a master key code for setting up door codes, so maybe leverage that. But I can see why it might be more trouble than it’s worth to provide that functionality to end users. That Ford can’t reach into their database and drop a single key, that they can see (CSR confirmed that), is mind-blowing. I shouldn’t have to scorched earth the entire credential system when my wife’s phone gets stolen. That’s ridiculous. Phones get stolen. That’s just poor design. No other way to say it.
Designing for deenrollment/deauthorization is a standard thing in any identity management system. I work primarily in the Microsoft space, so for my convenience I’m going to talk about this in terms of Active Directory (AD). Guessing most of you are familiar enough with AD that I don’t have to explain too much. But could you imagine if the only way to deactivate (or delete) a user object is if the user had access to do it themselves, or the only way to remove one user’s access from Exchange was to delete everyone’s account and start over again? That’s how Ford’s PAAK works. 🤯
The more I think about it, the more I wonder if it’s a deeper problem with how it’s designed. Maybe the issue isn’t that Ford didn’t bother to surface the functionality. Maybe they designed an insecure system that can’t deauthorize keys without access to the key that needs to be deauthorized.
I haven’t dug into what’s possible with mobile devices and certificate management, but this feels like it should be a solved problem. Systems for provisioning device (client) certificates via PKI have existed for ages, and they provide this functionality. Seems like a decent model to work from.
The last time this happened, it was kind of my fault. My wife got a new phone, I didn’t think about it before she hard reset the device and handed it in. Kind of my bad, but seriously… This time, her phone was stolen. I figured it was worth calling up Ford to see if anything had changed since the last time. Nope.
Did I mention that Ford is really bad at technology 😉.