[webinar] byoid is not a typo, it’s the future of user authentication
DESCRIPTION
What is BYOID (Bring Your Own Identity)? If you have been asked to authenticate yourself using Facebook, Twitter or other social media IDs when you visited a third party website, you have experienced the latest trend of user authentication. In this digital age, users want simple and secure access to applications. BYOID is becoming a popular option for simplifying the user authentication process and it's here to stay. While there are clear benefits, BYOID also brings risks to both companies and end users. In this webinar, we will discuss what BYOID means to you and how it will affect your organization.TRANSCRIPT
BRING YOUR OWN ID
Kevin Sullivan
Director of Sales Engineering
Specops Software
Welcome
• Kevin Sullivan
– @kevsully67
• Director of Sales Engineering
• Recovering GP MVP, Musician
• Previously Principal Program Manager at Microsoft
• Technology lover – geek dad
WHOAMI
Agenda
• Identity
• BYOID
• Benefits
• Challenges
WHAT ARE WE GOING TO TALK ABOUT
Who are you?
IDENTITY
Who do you trust?
BALANCE TRUST AND RISK
Identity is growing in complexity
ITS NOT THAT SIMPLE
Sorting it all out
FRAGMENTED IDENTITY
Confused Enough?
MIND BLOWN
WHY
Why BYOID
• Millennials – new ways of working and living
• The “rise of digital business’
• Convergence of Mobile, Social, Cloud and Information
• BYOD
– Working mobility
– Cross platform
– Different use cases for mobile
• Gartner says that a 2014 survey showed ~40% of survey respondents are now consuming social or other third-party identities
IS RESISTANCE FUTILE
Adaptive Access Control
TECHNOLOGY GETS IN THE WAY
BENEFITS OF BYOI
Attract and Retain
• Do you want this cool white paper?
– Fill out this form/create an account?
– Sign in with Facebook?
• Gartner says “Software vendors that enable
the consumption of social identities report
that acceptance of social identities can
increase registrations by up to 90%.”
OLD WAYS ARE… OLD
ID.me
• On the surface – online discounts and shopping
• Behind the scenes the service provides government supported identity validation service…
– If the request comes to me through ID me your group affiliations are accepted
– Specific discounts are available (military, teachers, students, first responders, doctors etc.)
• It is like a badge
• “Are you the police?”
• “No ma'am, we’re musicians”
WHAT IS OUT THERE
CHALLENGES
This is NOT the only scenario – but common
HOW DOES IT WORK
Not the Automobile Association of America
• Does ByoID fit the entire life-cycle?
– Authentication
• authN
– Authorization
• authZ
– Access Control
AAA
Availability
• What choices do you have?
• Social?
– FB, Twitter, Instagram, etc.
• Enterprise?
– Azure, Google, etc.
• Facebook is very popular
– But not in all countries
– Typically it is a ‘personal’ persona
• LinkedIn is popular for professional networking
– Does everyone need to know your ‘professional’ persona
• LiveID – Google ID –
– Identities used for many connected services
DOES IT WORK FOR EVERYONE
Flexibility
• Not every identity service may be appropriate for every use case
• Step-up
– Initial access to low impact ‘stuff’
– Additional access, with additional verifications and ‘stuff’ grows in importance
• Understand your constituency
• Who needs what?
• Are enforceable policies in place?
IF THE GLOVE FITS
What data to share
• Is the whole profile exposed?
– Friends list
– Status updates
• More of a anecdotal scenario
– Facebook and privacy
– Google + and future
– Who cares about your cat pictures?
– Is your data trusted?
• Address
• Phone number
ARE YOU AN OPEN BOOK
Identity Proofing
• Areas of study and analysis are dedicated to Identity Proofing
• Geo-specific
– What is trusted in US may not be trusted in Sweden and visa-versa
• Some interest and support for providing third party identities
– Verizon, ID.me, Governamne ID (e-ID), Microsoft Cloud Services (Azure IdM/AD), Google Apps
• Some albeit expensive vendors jumping in…
– LexisNexis, Equifax, Experian
– Gartner reports relatively low adoption due to cost and complexity
Are the protocols ready?
• Still some churn
• New stuff coming in
• Old stuff showing wear
• Public vulnerabilities create concern
• NIST – defines LOA
– ‘Lower Level of Assurance’
– Levels 1 – 3
• OpenID (2.0 is for ‘lower security use cases’)
• OpenID Connect (supports NIST LOA levels 1 – 3)
• Oauth
IF YOU CAN SMELL IT, IT IS DONE
What to do?
• Plan carefully
• Learn and understand
• Be the best <fill in the blank> organization you can be
– <obvious>Don’t try to be something you are not…
– If you are not a security software development organization then don’t build your own authentication frameworks</obvious>
• Step-up
• Multi-factor models
– Use mobile-device verification everywhere you can
– Or other multi-factor models
PLAN, PLAN, PLAN
Thanks and send us your feedback!
• Topics of interest?
• Suggestions?
• Corrections?
• Criticisms?
• http://www.specopssoft.com
• @kevsully67
• Follow Specops Software on Facebook!
Resources
APPENDIX
Password Strength
Password Policy
• If the password satisfies the rule it is strong
• If the password satisfies the rules and it is weak the rules are wrong
Notes
• Identity Proofing Services
• “Consumption of social identities can reduce friction and is particularly helpful for new and transient relationships “
• Attestation –
– “a solemn statement made under oath”
– “Certification by signature or oath”
• ID.me – trusted verification
– Verify group affiliateions (military, teacher, student, etc…) and store verification in ID.me account.
– Used for online discounts and shopping