User Authentication for Government 20 March 2012

Symantec Government Technology Summit

Nick Piazzola

Sr. Director, Government Authentication SolutionsNick_Piazzola@symantec.com443-604-4069

E-Authentication in the Federal Government

Players: President, OMB, Federal CIO/CIO Council, FICAM

Policies/Mandates:• HSPD-12 • OMB: M-04-04, M-07-16, M-11-11• Federal CIO Memo

Technical Standards: • FIPS 201• FIPS 199• NIST SP 800-63-1

Implementation Standards/Guidance: • Federal PKI Certificate Policy• Trust Frameworks (Non-PKI)

OMB M-04-04 E-Authentication Guidance

Electronic authentication (E-Authentication) is the process of establishing confidence in identities presented remotely over an open network to an information system.

OMB M-04-04 defines four levels of identity assurance for electronic transactions requiring authentication, where the required level of assurance is defined in terms of the consequences of authentication errors and the misuse of credentials.

Level 1 – Little or no confidence in the asserted identity Level 2 - Some confidence in the asserted identity Level 3 - High confidence in the asserted identity Level 4 - Very high confidence in the asserted identity

OMB M-04-04 E-Authentication Guidance

• Requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.

1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements.

FIPS 199 Risk/Impact Profiles Assurance Level Impact Profiles

Potential Impact Categories for Authentication Errors

1 2 3 4

Inconvenience, distress or damage to standing or reputation

Low Mod Mod High

Financial loss or agency liability Low Mod Mod High

Harm to agency programs or public interests N/A Low Mod High

Unauthorized release of sensitive information N/A Low Mod High

Personal Safety N/A N/A Low ModHigh

Civil or criminal violations N/A Low Mod High

Maximum Potential Impacts

NIST Special Publication SP 800-63-1Electronic Authentication Guideline

• Provides technical guidelines for Federal agencies implementing electronic authentication.

• Defines electronic authentication (e-authentication) as the process of establishing confidence in identities electronically presented to an information system.

• Applies to remote electronic authentication of users over open networks.

• Defines four levels of increasing assurance: Levels 1,2,3,4 and the threats to be mitigated at each of these levels.

• Defines technical requirements in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions.

Strong Authentication

A Combination of Two or More Authentication Factors

Username/PasswordsMother’s Maiden NameTransaction History

Hardware OTP TokenDigital CertificateSmart Card

FingerprintIris Pattern

Something You Know Something You Have Something You Are

Multi-Factor Token

Very High

High

Medium

Low

Employee Screening for a High Risk Job

Obtaining Govt. Benefits

Applying for a Loan

Online

Access to Protected

Website

PIN/User ID

Knowledge

One-Time Password

-Based

PKI/ Digital Signature

HSPD-12 PIV Card

Incre

ase

d S

tren

gth

Increased Need for Identity Assurance

E-Authentication Assurance Levels (OMB M-04-04)

Biometrics

Public Key Infrastructure

PKI service issues certificates for strong authentication,

encryption and digital signing

eCommerce Financial Services

EnterpriseGovernment

User Authentication Product Family

Shared cloud-based two-factor authentication solution offering

multiple token choices

Symantec Identity Protection

RISK SCORE

Rules Eng. Behavior Eng.

Risk-Based authentication and software-based fraud detection

Fraud Detection Service

Symantec Solutions for Authentication

VeriSign® Identity Protection Network(fraud intelligence and shared authentication)

VIP Fraud Detection Service

StrongAuthentication

(User and Site)

Mobile OTP

SMS and Voice

BrowserToolbar

OTP

SSL CertSecure Seal

Digital Certificates

OTP Tokens

OTP Card

USB PKI Tokens

Smartcards

• Provides data integrity and enable non-repudiation for electronic transactions

• Primary integration points: Email, Adobe, and custom applications

• Protect sensitive information whether data is in transit or at rest

• Primary integration points: Email, disk, file/folder, and databases

• Prevent unauthorized access through enhanced authentication

• Primary integration points: Web applications, remote access, desktop logon, and wireless

What PKI Enables…

Strong Authentication

Digital Signatures

Encryption

Managed PKI Services for the Public Sector

– Federal Shared Service Provider PKI Enables Federal agencies to comply with HSPD-12. VeriSign SSP PKI services and Card Management System are certified and on the GSA FIPS-201 Approved Products List (APL)

– Non-Federal Shared Service Provider PKI Enterprise PKI for any organization needing interoperability with the Federal government. Provides interoperability with the Federal PKI at multiple assurance levels through cross-certification with the Federal Bridge Certification Authority (FBCA).

– ECA Certificates Enable organizations, contractors and individuals to securely communicate with Federal, state and local government agencies.

U.S. Government

– U.S. Nuclear Regulatory Commission– U.S. Senate– Dept of State (Millennium Challenge Corporation)

State Government– State of Kansas– State of Colorado– State of California (CA Prison Healthcare Systems)– State of Virginia (Fairfax County Government)

Universities– University of Houston

Government Contractors– Booz Allen & Hamilton -General Dynamics– Noblis (Mitretek) -Dyncorp

Non-Federal SSP PKI Customers

Symantec Validation and ID Protection

Enterprise

Consumer Portal, Business Partner

Extranet

Government Network

VIP Authentication Service

User with Symantec VIP

Token

Symantec Authentication Solution Strategy

VIP OTP Credentialing

Services

VIP Validation Service

Federal/ Non- Federal

SSP PKI

Directory/ OCSP

Validation Services

Federal Bridge Certification Authority

Application Enabling Services

Identity Proofing Services

Levels 2/3/4

Notary

Online KBA Services

Existing Credential

-authentication gateway

-credential verification

-single sign-on (SSO)

Trusted Agent

Agency RA

Commercial Proofing

Service

Symantec/Experian Two Factor Authentication Solution

Symantec OTP Authentication

Service

Symantec OTP Token

Online Government Application

1. NIST Level 3 Remote Identity Proofing using Experian Precise ID.

2. Multiple form-factors for OTP tokens for multiple platforms.

3. Two-Factor Authentication with PIN, OTP and in-the-cloud validation service.

User

Experian Precise ID

(NIST 800-63-1 Level 3)

Summary

• The two primary user authentication technologies in use today are PKI and OTP. Symantec delivers/supports both of these for government customers via cloud services.

• While both PKI and OTP are used for e-authentication, only PKI can deliver a full suite of security services including confidentiality, integrity and non-repudiation.

• OTP solutions are more likely to be used for remote access and external constituent access to government services because of their reduced cost and complexity.

• NIST SP 800-63-1 Level 3 assurance is the target for most applications involving personally identifiable information and/or valuable transactions.

• Experian and Symantec have collaborated to provide a suite of integrated identity proofing and authentication services that supports NIST SP 800-63-1.

• In the future government agencies are expected to transition from being providers of credentials to accepting identity credentials issued by external identity providers.