authentication.next
DESCRIPTION
Three trends are changing the calculus of authentication: Increased use of modern identity proofing broader adoption of adaptive authentication, and local mobile biometrics.TRANSCRIPT
From Kerberos to FIDO: The Future of Authentication
Mark Diodati
@mark_diodati
Thurs 13-07-11
The immutable calculus of
authentication is changing
Modern identity proofing
Adaptive authentication
Local mobile biometrics
Authentication Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
Identity assurance
Identity Assurance
• The goal of authentication
• Level of confidence about the authenticating user
• Required for a reliable identity infrastructure
– Security policies rely upon identification of the user
• Applications have different risk profiles and therefore different assurance requirements
$5
Identity Assurance—Components
• Three components build identity assurance
– Primary authenticator – attributes including security, number of factors
– Identity proofing – authentication processes to bind the user to the authenticator
– Secondary methods
• Used in conjunction with primary authenticator
• Best example is adaptive authentication
• Layering is essential
Primary Authenticator Assurance Id
enti
ty A
ssu
ran
ce
Password OTP Smart Card
Primary Authenticator
Iden
tity
Ass
ura
nce
Modern identity proofing
Identity Assurance—Identity Proofing
Authentication Lifecycle
Ter
min
atio
n
ElevatedAccess Changes
Em
ergency
Access
Initialization
Identity Proofing Static Knowledge-Based Authentication (KBA)
• Mom’s maiden name?
• Easily guessed and administratively-known answers
• Low proofing value
• Known users
Dynamic Knowledge-Based Authentication (KBA)
• Intersection near your high school? Amount last paid for mortgage?
• Medium proofing value
• Unknown and known users
Out-Of-Band (OOB) Proofing
• Interaction via IVR telephone, SMS
• High proofing value
• Known users
Identity Proofing Static Knowledge-Based Authentication (KBA)
• Notorious usability problems
• Unsuitable for everything except low assurance scenarios
• Many organizations have replaced static KBA with OOB
• Regulatory pressure will limit its use in the future
Dynamic Knowledge-Based Authentication (KBA)
• Best for unknown users (e.g., payday loans, gift card and rewards programs)
• Has a solid future in use cases where little is known about the user
Out-Of-Band (OOB) Proofing
• The way to go for known users (regardless of constituency)
• Improves identity assurance
• Represents the path forward
Modern Proofing Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
Importance of Identity Proofing
Password OTP Smart Card
Identity Proofing
Primary Authenticator
Iden
tity
Ass
ura
nce
Adaptive authentication
Adaptive Authentication Device ID
• ____
• ____
• ____
IP Blacklist
• Bill pay $349
• Bill pay $610
• EFT $2,000,000
Behavioral Biometrics
Geolocation
Adaptive Authentication
Products
–Consumer authentication
– Federation and SSO products
– SIEM
– Identity and access governance
Adaptive Authentication Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
Adaptive and Proofing Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
Adaptive Over Time
• Successful authentication systems deliver SSO
• They transition to an interoperable credential – Password or smart card->KDC->ticket granting ticket
– OTP or password->WAM policy server->HTTP cookie
– Password->federation IDP->SAML
– X.509->OIDC IDP/OAuth AS->access and ID tokens
Adaptive Over Time Id
enti
ty A
ssu
ran
ce
Lifetime of credential
Adaptive Over Time Id
enti
ty A
ssu
ran
ce
Lifetime of credential
Local mobile biometrics
Beloved
(always)
In possession
(almost always)
User-purchased (sometimes)
The Smartphone
Portable Biometric Device
Accelerometer
movement
Camera facial recognition
Microphone voice
The Mobile Biometric Device
FIDO—A Tale of Two Protocols
• FIDO Unified Authentication Framework (UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal, others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to partner)
FIDO: Local Mobile Biometrics
• FIDO Unified Authentication Framework (UAF)
– Replace PIN with biometrics for private key access
• FIDO Alliance announced in Feb 2013 – Backed by Lenovo, Nok Nok, PayPal, SecureKey, others
– Part of the original FIDO development effort
• Specification is still in process (unpublished)
– Goal: to be the primary authenticator
– Use cases focus on mobile devices
Local Mobile Biometrics—UAF
F
authenticator(s)
(2)
FID
O h
and
shak
e
FIDO Client
FFIDOServer
device attestation F
device key pair
site-specific key pairs
(1) user authenticationto FIDO client
Binding of user info and public key
(3)
Asy
mm
etrc
i key
au
thn
FIDOAttestation
Service
web site/RP
ID Proofing
UAF—Transitioned
F
(2)
FID
O h
and
shak
e
FIDO client
F
OpenID Connectauthorization server
(1) user authenticationto FIDO client
(3)
asym
met
ric
key
auth
n
OAuthresource server
FIDO authenticationmodule
A mobile application (relying party)
Binding of user info and public key
(4)
Toke
n in
form
atio
n
(5) A
PI re
quest/
resp
onse
ID A R
A
tokens
Local Mobile Biometrics Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
FIDO: Universal Second Factor
“Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Backed by Google
– Moved into FIDO alliance in early 2013
• Beta started in early 2013
– Hardware partner: Yubico
– Goal: to be the secondary authenticator
“Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Use cases focus on PCs, laptops
• Hardware is USB or NFC
• Not so – for software-based keystores
– Chrome browser integration is key
• Direct signing functions with the device
– Overcomes two hurdles of traditional smart cards
• Certificate management
• Hardware device drivers, MS-CAPI/CNG
“Smart” Smart Card (U2F) web site/RP
device key pair (per batch)
site-specific key pairs(with Key Handles)activation button
siteauthn service
(activation required during enrollment and optional at
runtime)
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
device attestationattestation
service
U2F Transition Federation IDP
primaryauthn service
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
(3) S
AM
L cr
eden
tial
s
Federation SP
(4) SAML credentia
ls
UAF and U2F Commonality
• Both aspire to raise identity assurance levels • Neither transitions to an interoperable token type (e.g.,
SAML, OAuth) • Both use a unique public key pair for each web site (RP) • Both an enable an RP to perform device attestation
– UAF – unique key pair per device – U2F – unique public key per “batch” of hardware tokens
• Both leverage distributed authentication – Neither requires an authentication authority – Good for scalability – The UAF service may need it for device registration and
user enrollment
UAF and U2F Commonality
• UAF and U2F mostly require browser interaction
– Google is working on app-specific implementations
• UAF more difficult - introduces integration issues with mobile applications
– No defined way to interact with applications to provide SSO, particularly iOS
Potential UAF and U2F Integration
• UAF and U2F leverage common NFC secure element – Improves identity assurance
– PC, laptop: USB
– Mobile: NFC
• UAF FIDO client integrates more deeply with Google Chrome
• U2F and UAF leverage a common device attestation service
Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 39
Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 39