cis14: knowing vs. asking: innovation in user recognition

KNOWING VS ASKING INNOVATION IN USER RECOGNITION

Pamela Dingle @pamelarosiedee Office of the CTO, Ping Identity

day one

day two

day five-hundred eighty five

State of the Industry

Compartmentalization

http

s://w

ww

.flic

kr.c

om/p

hoto

s/be

nson

kua/

2754

3129

51

The

US

Arm

y ht

tps:

//flic

.kr/p

/bE

xfoR

Leo

Rey

nold

s ht

tps:

//flic

.kr/p

/nfx

qQG

Gin

ny h

ttps:

//flic

.kr/p

/5V

9Viy

https://ww

w.flickr.com

/photos/bensonkua/2754312951/in/photostream

/

The

US

Arm

y ht

tps:

//flic

.kr/p

/bE

xfoR

IDP

Today: Stranger Flow

RP

We need one more representation

Our Lexicon must grow to Encompass Hints

•  What is a hint? – Statement based on probability but lacking authority – Multiple evolutions evolving into the concept of a

Hint •  Passive Factors / Real-time analytics •  Cached previous data •  Account Chooser

Security Posture should never be OSFA again

•  It isn’t 1995 anymore •  The device to user ratio has

inverted •  In the 1st world at least, 5-year

olds have iPads •  You can’t abandon the 1995

flow but you can choose who to offer it to

IDP

Tomorrow: Friendly Flow

RP

That must be dangerous!

Because, Security

Xavi

Talle

da h

ttps:

//flic

.kr/p

/997

LWw

v

Session bound with Context allows us to help “friendlies”

But what tooling allows contextual collaboration

across domains?

Two Flow Elements •  Continuation Flow

–  Is there some context that can forecast an identifier and/or idp?

•  Bootstrap flow – No continuation exists –  Is there a way to introduce the user & idp to the flow?

Hint Spectrum

Login Hint Refresh Token

Previously Issued IDToken

Shared Signal

Expired Token & context assertion embedded in signed AuthnRequest

Login Hint

•  Exactly the information the user would have to type themselves anyway – User Identifier –  IDP

•  Equivalent to “Remember me” (but crossing domains)

How can an RP derive a Login Hint?

•  Continuation Flow –  Check the expired session

cookie –  Dig up the previous id_token

•  Bootstrapping Flow –  Ask for it (NASCAR, OpenID) (ie – stranger flow) –  Query a common authority

•  CDC, Account Chooser

Dave  Carter  h*ps://www.flickr.com/photos/david_s_carter/3041065755  

Bootstrapping == Discovery?

Choosers FTW

•  d

Bootstrapping

HTTP/1.1 302 Found! Location: https://server.example.com/authorize!! ?response_type=code!

&scope=openid%20profile%20email! &client_id=s6BhdRkqt3! &state=af0ifjsldkj! &redirect_uri=https%3A%2F%2Fclnt.example.org%2Fcb!

&login_hint=patty%40integralcurve.com!

Continuation

{! "iss": "s6BhdRkqt3",! "aud": "https://server.example.com",! "response_type": "code id_token",! "client_id": "s6BhdRkqt3",! "redirect_uri": "https://client.example.org/cb",! "scope": "openid",! "state": "af0ifjsldkj",! "nonce": "n-0S6_WzA2Mj",! "max_age": 86400,!"id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc!K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"! }!

An attacker who emulates the login hint only gets this far

https://ww

w.flickr.com

/photos/bensonkua/2754312951/in/photostream

/

Thanks!

@pamelarosiedee http://pingidentity.com

http://eternallyoptimistic.com