Three trends are changing the calculus of authentication: Increased use of modern identity proofing broader adoption of adaptive authentication, and local mobile biometrics.

1. From Kerberos to FIDO:
The Future of Authentication
Mark Diodati
@mark_diodati
mdiodati@pingidentity.com
Thurs 13-07-11

2. The immutable
calculus of
authentication is
changing

3. Modern identity proofing
Adaptive authentication
Local mobile biometrics

4. AuthenticationIdentityAssurance
Un-Usability and Cost

5. Identity assurance

6. Identity Assurance
• The goal of authentication
• Level of confidence about the authenticating user
• Required for a reliable identity infrastructure
– Security policies rely upon identification of the user
• Applications have different risk profiles and
therefore different assurance requirements
$5

7. Identity Assurance—Components
• Three components build identity assurance
– Primary authenticator – attributes including
security, number of factors
– Identity proofing – authentication processes to
bind the user to the authenticator
– Secondary methods
• Used in conjunction with primary authenticator
• Best example is adaptive authentication
• Layering is essential

8. Primary Authenticator Assurance
IdentityAssurance
Password OTP Smart Card
Primary Authenticator
IdentityAssurance

9. Modern identity
proofing

10. Identity Assurance—Identity Proofing
Authentication
Lifecycle
TerminationElevated
Access
Changes
Emergency
Access
Initialization

11. Identity Proofing
Static Knowledge-BasedAuthentication (KBA)
• Mom’s maiden name?
• Easily guessed and administratively-known answers
• Low proofing value
• Known users
Dynamic Knowledge-Based Authentication (KBA)
• Intersection near your high school? Amount last paid for mortgage?
• Medium proofing value
• Unknown and known users
Out-Of-Band (OOB) Proofing
• Interaction via IVR telephone, SMS
• High proofing value
• Known users

12. Identity Proofing
Static Knowledge-BasedAuthentication (KBA)
• Notorious usability problems
• Unsuitable for everything except low assurance scenarios
• Many organizations have replaced static KBA with OOB
• Regulatory pressure will limit its use in the future
Dynamic Knowledge-Based Authentication (KBA)
• Best for unknown users (e.g., payday loans, gift card and rewards
programs)
• Has a solid future in use cases where little is known about the user
Out-Of-Band (OOB) Proofing
• The way to go for known users (regardless of constituency)
• Improves identity assurance
• Represents the path forward

13. Modern ProofingIdentityAssurance
Un-Usability and Cost

14. Importance of Identity Proofing
Password OTP Smart Card
Identity Proofing
Primary Authenticator
IdentityAssurance

15. Adaptive
authentication

16. Adaptive Authentication
Device ID
• ____
• ____
• ____
IP Blacklist
• Bill pay $349
• Bill pay $610
• EFT $2,000,000
Behavioral
Biometrics
Geolocation

17. Adaptive Authentication
Products
–Consumer authentication
–Federation and SSO products
–SIEM
–Identity and access governance

18. Adaptive AuthenticationIdentityAssurance
Un-Usability and Cost

19. Adaptive and ProofingIdentityAssurance
Un-Usability and Cost

20. Adaptive Over Time
• Successful authentication systems deliver
SSO
• They transition to an interoperable
credential
– Password or smart card->KDC->ticketgranting ticket
– OTP or password->WAM policy server->HTTP cookie
– Password->federation IDP->SAML
– X.509->OIDC IDP/OAuthAS->access and ID tokens

21. Adaptive Over TimeIdentityAssurance
Lifetime of credential

22. Adaptive Over TimeIdentityAssurance
Lifetime of credential

23. Local mobile
biometrics

24. Beloved
(always)
In possession
(almost always)
User-purchased
(sometimes)
The Smartphone

25. Portable Biometric Device
Accelerometer
movement
Camera
facial recognition
Microphone
voice
The Mobile Biometric Device

26. FIDO—A Tale of Two Protocols
• FIDO Unified AuthenticationFramework(UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal,
others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to
partner)

27. FIDO: Local Mobile Biometrics
• FIDO Unified AuthenticationFramework(UAF)
– Replace PIN with biometrics for private key access
• FIDO Alliance announcedin Feb 2013
– Backed by Lenovo, Nok Nok, PayPal, SecureKey, others
– Part of the original FIDO development effort
• Specification is still in process (unpublished)
– Goal: to be the primary authenticator
– Use cases focus on mobile devices

28. Local Mobile Biometrics—UAF
F
authenticator(s)
(2)FIDOhandshake
FIDO Client
FFIDO
Server
device attestation
F
device key pair
site-specific key pairs
(1) user authentication
to FIDO client
Binding of user info and public key
(3)Asymmetrcikeyauthn
FIDO
Attestation
Service
web site/RP
ID Proofing

29. UAF—Transitioned
F
(2)FIDOhandshake
FIDO client
F
OpenID Connect
authorization server
(1) user authentication
to FIDO client
(3)asymmetrickeyauthn
OAuth
resource server
FIDO authentication
module
A mobile application
(relying party)
Binding of user info and public key
(4)Tokeninformation
(5)APIrequest/response
ID A R
A
tokens

30. Local Mobile BiometricsIdentityAssurance
Un-Usability and Cost

31. FIDO: Universal
Second Factor

32. “Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Backed by Google
– Moved into FIDO alliance in early 2013
• Beta started in early 2013
– Hardware partner: Yubico
– Goal: to be the secondary authenticator

33. “Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Use cases focus on PCs, laptops
• Hardware is USB or NFC
• Not so – for software-based keystores
– Chrome browser integration is key
• Direct signing functions with the device
– Overcomes two hurdles of traditional smart cards
• Certificate management
• Hardware device drivers, MS-CAPI/CNG

34. “Smart” Smart Card (U2F)web site/RP
device key pair (per batch)
site-specific key pairs
(with Key Handles)activation button
site
authn
service
(activation required during
enrollment and optional at
runtime)
U2F
authn
service
(1)userpasswordauth
(2)Challengeresponse,withKeyHandle
User info, public key and
Key Handle
device attestation
attestation
service

35. U2F Transition
Federation IDP
primary
authn
service
U2F
authn
service
(1)userpasswordauth
(2)Challengeresponse,withKeyHandle
User info, public key and
Key Handle
(3)SAMLcredentials
Federation SP
(4) SAML credentials

36. UAF and U2F Commonality
• Both aspire to raise identity assurance levels
• Neither transitions to an interoperable token type (e.g.,
SAML, OAuth)
• Both use a unique public key pair for each web site (RP)
• Both an enable an RP to perform device attestation
– UAF – unique key pair per device
– U2F – unique public key per “batch” of hardware tokens
• Both leverage distributed authentication
– Neither requires an authentication authority
– Good for scalability
– The UAF service may need it for device registration and
user enrollment

37. UAF and U2F Commonality
• UAF and U2F mostly require browser
interaction
– Google is working on app-specific
implementations
• UAF more difficult - introduces integration
issues with mobile applications
– No defined way to interact with applications to
provide SSO, particularly iOS

38. Potential UAF and U2F Integration
• UAF and U2F leverage common NFC secure
element
– Improves identity assurance
– PC, laptop: USB
– Mobile: NFC
• UAF FIDO client integrates more deeply with
Google Chrome
• U2F and UAF leverage a common device
attestation service

39. Copy right ©2013 Ping Identity Corporation. All rights reserv ed.39
Copy right ©2013 Ping Identity Corporation. All rights reserv ed.39