authentication.next

From Kerberos to FIDO: The Future of Authentication

Mark Diodati

@mark_diodati

[email protected]

Thurs 13-07-11

The immutable calculus of

authentication is changing

Modern identity proofing

Adaptive authentication

Local mobile biometrics

Authentication Id

enti

ty A

ssu

ran

ce

Un-Usability and Cost

Identity assurance

Identity Assurance

• The goal of authentication

• Level of confidence about the authenticating user

• Required for a reliable identity infrastructure

– Security policies rely upon identification of the user

• Applications have different risk profiles and therefore different assurance requirements

$5

Identity Assurance—Components

• Three components build identity assurance

– Primary authenticator – attributes including security, number of factors

– Identity proofing – authentication processes to bind the user to the authenticator

– Secondary methods

• Used in conjunction with primary authenticator

• Best example is adaptive authentication

• Layering is essential

Primary Authenticator Assurance Id

enti

ty A

ssu

ran

ce

Password OTP Smart Card

Primary Authenticator

Iden

tity

Ass

ura

nce

Modern identity proofing

Identity Assurance—Identity Proofing

Authentication Lifecycle

Ter

min

atio

n

ElevatedAccess Changes

Em

ergency

Access

Initialization

Identity Proofing Static Knowledge-Based Authentication (KBA)

• Mom’s maiden name?

• Easily guessed and administratively-known answers

• Low proofing value

• Known users

Dynamic Knowledge-Based Authentication (KBA)

• Intersection near your high school? Amount last paid for mortgage?

• Medium proofing value

• Unknown and known users

Out-Of-Band (OOB) Proofing

• Interaction via IVR telephone, SMS

• High proofing value

• Known users

Identity Proofing Static Knowledge-Based Authentication (KBA)

• Notorious usability problems

• Unsuitable for everything except low assurance scenarios

• Many organizations have replaced static KBA with OOB

• Regulatory pressure will limit its use in the future

Dynamic Knowledge-Based Authentication (KBA)

• Best for unknown users (e.g., payday loans, gift card and rewards programs)

• Has a solid future in use cases where little is known about the user

Out-Of-Band (OOB) Proofing

• The way to go for known users (regardless of constituency)

• Improves identity assurance

• Represents the path forward

Modern Proofing Id

enti

ty A

ssu

ran

ce


Importance of Identity Proofing

Password OTP Smart Card

Identity Proofing

Primary Authenticator

Iden

tity

Ass

ura

nce

Adaptive authentication

Adaptive Authentication Device ID

• ____

• ____

• ____

IP Blacklist

• Bill pay $349

• Bill pay $610

• EFT $2,000,000

Behavioral Biometrics

Geolocation

Adaptive Authentication

Products

–Consumer authentication

– Federation and SSO products

– SIEM

– Identity and access governance

Adaptive Authentication Id

enti

ty A

ssu

ran

ce


Adaptive and Proofing Id

enti

ty A

ssu

ran

ce


Adaptive Over Time

• Successful authentication systems deliver SSO

• They transition to an interoperable credential – Password or smart card->KDC->ticket granting ticket

– OTP or password->WAM policy server->HTTP cookie

– Password->federation IDP->SAML

– X.509->OIDC IDP/OAuth AS->access and ID tokens

Adaptive Over Time Id

enti

ty A

ssu

ran

ce

Lifetime of credential

Local mobile biometrics

Beloved

(always)

In possession

(almost always)

User-purchased (sometimes)

The Smartphone

Portable Biometric Device

Accelerometer

movement

Camera facial recognition

Microphone voice

The Mobile Biometric Device

FIDO—A Tale of Two Protocols

• FIDO Unified Authentication Framework (UAF)

– Local mobile biometrics

– Initially proposed by Lenovo, Nok Nok, PayPal, others

– Also supports non-biometric authentication

• Universal Second Factor (U2F)

– “Smart” smart card

• Initially proposed by Google and Yubikey (first to partner)

FIDO: Local Mobile Biometrics

• FIDO Unified Authentication Framework (UAF)

– Replace PIN with biometrics for private key access

• FIDO Alliance announced in Feb 2013 – Backed by Lenovo, Nok Nok, PayPal, SecureKey, others

– Part of the original FIDO development effort

• Specification is still in process (unpublished)

– Goal: to be the primary authenticator

– Use cases focus on mobile devices

Local Mobile Biometrics—UAF

F

authenticator(s)

(2)

FID

O h

and

shak

e

FIDO Client

FFIDOServer

device attestation F

device key pair

site-specific key pairs

(1) user authenticationto FIDO client

Binding of user info and public key

(3)

Asy

mm

etrc

i key

au

thn

FIDOAttestation

Service

web site/RP

ID Proofing

UAF—Transitioned

F

(2)

FID

O h

and

shak

e

FIDO client

F

OpenID Connectauthorization server

(1) user authenticationto FIDO client

(3)

asym

met

ric

key

auth

n

OAuthresource server

FIDO authenticationmodule

A mobile application (relying party)

Binding of user info and public key

(4)

Toke

n in

form

atio

n

(5) A

PI re

quest/

resp

onse

ID A R

A

tokens

Local Mobile Biometrics Id

enti

ty A

ssu

ran

ce


FIDO: Universal Second Factor

“Smart” Smart Card

• FIDO Universal Second Factor (U2F)

– Backed by Google

– Moved into FIDO alliance in early 2013

• Beta started in early 2013

– Hardware partner: Yubico

– Goal: to be the secondary authenticator

“Smart” Smart Card

• FIDO Universal Second Factor (U2F)

– Use cases focus on PCs, laptops

• Hardware is USB or NFC

• Not so – for software-based keystores

– Chrome browser integration is key

• Direct signing functions with the device

– Overcomes two hurdles of traditional smart cards

• Certificate management

• Hardware device drivers, MS-CAPI/CNG

“Smart” Smart Card (U2F) web site/RP

device key pair (per batch)

site-specific key pairs(with Key Handles)activation button

siteauthn service

(activation required during enrollment and optional at

runtime)

U2Fauthn service

(1)

use

r p

assw

ord

au

th

(2)

Ch

alle

nge

res

po

nse

, w

ith

Key

Han

dle

User info, public key and Key Handle

device attestationattestation

service

U2F Transition Federation IDP

primaryauthn service

U2Fauthn service

(1)

use

r p

assw

ord

au

th

(2)

Ch

alle

nge

res

po

nse

, w

ith

Key

Han

dle

User info, public key and Key Handle

(3) S

AM

L cr

eden

tial

s

Federation SP

(4) SAML credentia

ls

UAF and U2F Commonality

• Both aspire to raise identity assurance levels • Neither transitions to an interoperable token type (e.g.,

SAML, OAuth) • Both use a unique public key pair for each web site (RP) • Both an enable an RP to perform device attestation

– UAF – unique key pair per device – U2F – unique public key per “batch” of hardware tokens

• Both leverage distributed authentication – Neither requires an authentication authority – Good for scalability – The UAF service may need it for device registration and

user enrollment

UAF and U2F Commonality

• UAF and U2F mostly require browser interaction

– Google is working on app-specific implementations

• UAF more difficult - introduces integration issues with mobile applications

– No defined way to interact with applications to provide SSO, particularly iOS

Potential UAF and U2F Integration

• UAF and U2F leverage common NFC secure element – Improves identity assurance

– PC, laptop: USB

– Mobile: NFC

• UAF FIDO client integrates more deeply with Google Chrome

• U2F and UAF leverage a common device attestation service

authentication.next

Education