Download - Authentication.Next
![Page 1: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/1.jpg)
From Kerberos to FIDO: The Future of Authentication
Mark Diodati
@mark_diodati
Thurs 13-07-11
![Page 2: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/2.jpg)
The immutable calculus of
authentication is changing
![Page 3: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/3.jpg)
Modern identity proofing
Adaptive authentication
Local mobile biometrics
![Page 4: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/4.jpg)
Authentication Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
![Page 5: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/5.jpg)
Identity assurance
![Page 6: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/6.jpg)
Identity Assurance
• The goal of authentication
• Level of confidence about the authenticating user
• Required for a reliable identity infrastructure
– Security policies rely upon identification of the user
• Applications have different risk profiles and therefore different assurance requirements
$5
![Page 7: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/7.jpg)
Identity Assurance—Components
• Three components build identity assurance
– Primary authenticator – attributes including security, number of factors
– Identity proofing – authentication processes to bind the user to the authenticator
– Secondary methods
• Used in conjunction with primary authenticator
• Best example is adaptive authentication
• Layering is essential
![Page 8: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/8.jpg)
Primary Authenticator Assurance Id
enti
ty A
ssu
ran
ce
Password OTP Smart Card
Primary Authenticator
Iden
tity
Ass
ura
nce
![Page 9: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/9.jpg)
Modern identity proofing
![Page 10: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/10.jpg)
Identity Assurance—Identity Proofing
Authentication Lifecycle
Ter
min
atio
n
ElevatedAccess Changes
Em
ergency
Access
Initialization
![Page 11: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/11.jpg)
Identity Proofing Static Knowledge-Based Authentication (KBA)
• Mom’s maiden name?
• Easily guessed and administratively-known answers
• Low proofing value
• Known users
Dynamic Knowledge-Based Authentication (KBA)
• Intersection near your high school? Amount last paid for mortgage?
• Medium proofing value
• Unknown and known users
Out-Of-Band (OOB) Proofing
• Interaction via IVR telephone, SMS
• High proofing value
• Known users
![Page 12: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/12.jpg)
Identity Proofing Static Knowledge-Based Authentication (KBA)
• Notorious usability problems
• Unsuitable for everything except low assurance scenarios
• Many organizations have replaced static KBA with OOB
• Regulatory pressure will limit its use in the future
Dynamic Knowledge-Based Authentication (KBA)
• Best for unknown users (e.g., payday loans, gift card and rewards programs)
• Has a solid future in use cases where little is known about the user
Out-Of-Band (OOB) Proofing
• The way to go for known users (regardless of constituency)
• Improves identity assurance
• Represents the path forward
![Page 13: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/13.jpg)
Modern Proofing Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
![Page 14: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/14.jpg)
Importance of Identity Proofing
Password OTP Smart Card
Identity Proofing
Primary Authenticator
Iden
tity
Ass
ura
nce
![Page 15: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/15.jpg)
Adaptive authentication
![Page 16: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/16.jpg)
Adaptive Authentication Device ID
• ____
• ____
• ____
IP Blacklist
• Bill pay $349
• Bill pay $610
• EFT $2,000,000
Behavioral Biometrics
Geolocation
![Page 17: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/17.jpg)
Adaptive Authentication
Products
–Consumer authentication
– Federation and SSO products
– SIEM
– Identity and access governance
![Page 18: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/18.jpg)
Adaptive Authentication Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
![Page 19: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/19.jpg)
Adaptive and Proofing Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
![Page 20: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/20.jpg)
Adaptive Over Time
• Successful authentication systems deliver SSO
• They transition to an interoperable credential – Password or smart card->KDC->ticket granting ticket
– OTP or password->WAM policy server->HTTP cookie
– Password->federation IDP->SAML
– X.509->OIDC IDP/OAuth AS->access and ID tokens
![Page 21: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/21.jpg)
Adaptive Over Time Id
enti
ty A
ssu
ran
ce
Lifetime of credential
![Page 22: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/22.jpg)
Adaptive Over Time Id
enti
ty A
ssu
ran
ce
Lifetime of credential
![Page 23: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/23.jpg)
Local mobile biometrics
![Page 24: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/24.jpg)
Beloved
(always)
In possession
(almost always)
User-purchased (sometimes)
The Smartphone
![Page 25: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/25.jpg)
Portable Biometric Device
Accelerometer
movement
Camera facial recognition
Microphone voice
The Mobile Biometric Device
![Page 26: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/26.jpg)
FIDO—A Tale of Two Protocols
• FIDO Unified Authentication Framework (UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal, others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to partner)
![Page 27: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/27.jpg)
FIDO: Local Mobile Biometrics
• FIDO Unified Authentication Framework (UAF)
– Replace PIN with biometrics for private key access
• FIDO Alliance announced in Feb 2013 – Backed by Lenovo, Nok Nok, PayPal, SecureKey, others
– Part of the original FIDO development effort
• Specification is still in process (unpublished)
– Goal: to be the primary authenticator
– Use cases focus on mobile devices
![Page 28: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/28.jpg)
Local Mobile Biometrics—UAF
F
authenticator(s)
(2)
FID
O h
and
shak
e
FIDO Client
FFIDOServer
device attestation F
device key pair
site-specific key pairs
(1) user authenticationto FIDO client
Binding of user info and public key
(3)
Asy
mm
etrc
i key
au
thn
FIDOAttestation
Service
web site/RP
ID Proofing
![Page 29: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/29.jpg)
UAF—Transitioned
F
(2)
FID
O h
and
shak
e
FIDO client
F
OpenID Connectauthorization server
(1) user authenticationto FIDO client
(3)
asym
met
ric
key
auth
n
OAuthresource server
FIDO authenticationmodule
A mobile application (relying party)
Binding of user info and public key
(4)
Toke
n in
form
atio
n
(5) A
PI re
quest/
resp
onse
ID A R
A
tokens
![Page 30: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/30.jpg)
Local Mobile Biometrics Id
enti
ty A
ssu
ran
ce
Un-Usability and Cost
![Page 31: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/31.jpg)
FIDO: Universal Second Factor
![Page 32: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/32.jpg)
“Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Backed by Google
– Moved into FIDO alliance in early 2013
• Beta started in early 2013
– Hardware partner: Yubico
– Goal: to be the secondary authenticator
![Page 33: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/33.jpg)
“Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Use cases focus on PCs, laptops
• Hardware is USB or NFC
• Not so – for software-based keystores
– Chrome browser integration is key
• Direct signing functions with the device
– Overcomes two hurdles of traditional smart cards
• Certificate management
• Hardware device drivers, MS-CAPI/CNG
![Page 34: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/34.jpg)
“Smart” Smart Card (U2F) web site/RP
device key pair (per batch)
site-specific key pairs(with Key Handles)activation button
siteauthn service
(activation required during enrollment and optional at
runtime)
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
device attestationattestation
service
![Page 35: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/35.jpg)
U2F Transition Federation IDP
primaryauthn service
U2Fauthn service
(1)
use
r p
assw
ord
au
th
(2)
Ch
alle
nge
res
po
nse
, w
ith
Key
Han
dle
User info, public key and Key Handle
(3) S
AM
L cr
eden
tial
s
Federation SP
(4) SAML credentia
ls
![Page 36: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/36.jpg)
UAF and U2F Commonality
• Both aspire to raise identity assurance levels • Neither transitions to an interoperable token type (e.g.,
SAML, OAuth) • Both use a unique public key pair for each web site (RP) • Both an enable an RP to perform device attestation
– UAF – unique key pair per device – U2F – unique public key per “batch” of hardware tokens
• Both leverage distributed authentication – Neither requires an authentication authority – Good for scalability – The UAF service may need it for device registration and
user enrollment
![Page 37: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/37.jpg)
UAF and U2F Commonality
• UAF and U2F mostly require browser interaction
– Google is working on app-specific implementations
• UAF more difficult - introduces integration issues with mobile applications
– No defined way to interact with applications to provide SSO, particularly iOS
![Page 38: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/38.jpg)
Potential UAF and U2F Integration
• UAF and U2F leverage common NFC secure element – Improves identity assurance
– PC, laptop: USB
– Mobile: NFC
• UAF FIDO client integrates more deeply with Google Chrome
• U2F and UAF leverage a common device attestation service
![Page 39: Authentication.Next](https://reader034.vdocuments.site/reader034/viewer/2022051817/54799b705806b5a3048b46e7/html5/thumbnails/39.jpg)
Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 39
Copy right ©2013 Ping Identity Corporation. All rights reserv ed. 39