Three trends are changing the calculus of authentication: Increased use of modern identity proofing broader adoption of adaptive authentication, and local mobile biometrics.
6. Identity Assurance
• The goal of authentication
• Level of confidence about the authenticating user
• Required for a reliable identity infrastructure
– Security policies rely upon identification of the user
• Applications have different risk profiles and
therefore different assurance requirements
$5
7. Identity Assurance—Components
• Three components build identity assurance
– Primary authenticator – attributes including
security, number of factors
– Identity proofing – authentication processes to
bind the user to the authenticator
– Secondary methods
• Used in conjunction with primary authenticator
• Best example is adaptive authentication
• Layering is essential
11. Identity Proofing
Static Knowledge-BasedAuthentication (KBA)
• Mom’s maiden name?
• Easily guessed and administratively-known answers
• Low proofing value
• Known users
Dynamic Knowledge-Based Authentication (KBA)
• Intersection near your high school? Amount last paid for mortgage?
• Medium proofing value
• Unknown and known users
Out-Of-Band (OOB) Proofing
• Interaction via IVR telephone, SMS
• High proofing value
• Known users
12. Identity Proofing
Static Knowledge-BasedAuthentication (KBA)
• Notorious usability problems
• Unsuitable for everything except low assurance scenarios
• Many organizations have replaced static KBA with OOB
• Regulatory pressure will limit its use in the future
Dynamic Knowledge-Based Authentication (KBA)
• Best for unknown users (e.g., payday loans, gift card and rewards
programs)
• Has a solid future in use cases where little is known about the user
Out-Of-Band (OOB) Proofing
• The way to go for known users (regardless of constituency)
• Improves identity assurance
• Represents the path forward
20. Adaptive Over Time
• Successful authentication systems deliver
SSO
• They transition to an interoperable
credential
– Password or smart card->KDC->ticketgranting ticket
– OTP or password->WAM policy server->HTTP cookie
– Password->federation IDP->SAML
– X.509->OIDC IDP/OAuthAS->access and ID tokens
26. FIDO—A Tale of Two Protocols
• FIDO Unified AuthenticationFramework(UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal,
others
– Also supports non-biometric authentication
• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to
partner)
27. FIDO: Local Mobile Biometrics
• FIDO Unified AuthenticationFramework(UAF)
– Replace PIN with biometrics for private key access
• FIDO Alliance announcedin Feb 2013
– Backed by Lenovo, Nok Nok, PayPal, SecureKey, others
– Part of the original FIDO development effort
• Specification is still in process (unpublished)
– Goal: to be the primary authenticator
– Use cases focus on mobile devices
28. Local Mobile Biometrics—UAF
F
authenticator(s)
(2)FIDOhandshake
FIDO Client
FFIDO
Server
device attestation
F
device key pair
site-specific key pairs
(1) user authentication
to FIDO client
Binding of user info and public key
(3)Asymmetrcikeyauthn
FIDO
Attestation
Service
web site/RP
ID Proofing
29. UAF—Transitioned
F
(2)FIDOhandshake
FIDO client
F
OpenID Connect
authorization server
(1) user authentication
to FIDO client
(3)asymmetrickeyauthn
OAuth
resource server
FIDO authentication
module
A mobile application
(relying party)
Binding of user info and public key
(4)Tokeninformation
(5)APIrequest/response
ID A R
A
tokens
32. “Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Backed by Google
– Moved into FIDO alliance in early 2013
• Beta started in early 2013
– Hardware partner: Yubico
– Goal: to be the secondary authenticator
33. “Smart” Smart Card
• FIDO Universal Second Factor (U2F)
– Use cases focus on PCs, laptops
• Hardware is USB or NFC
• Not so – for software-based keystores
– Chrome browser integration is key
• Direct signing functions with the device
– Overcomes two hurdles of traditional smart cards
• Certificate management
• Hardware device drivers, MS-CAPI/CNG
34. “Smart” Smart Card (U2F)web site/RP
device key pair (per batch)
site-specific key pairs
(with Key Handles)activation button
site
authn
service
(activation required during
enrollment and optional at
runtime)
U2F
authn
service
(1)userpasswordauth
(2)Challengeresponse,withKeyHandle
User info, public key and
Key Handle
device attestation
attestation
service
36. UAF and U2F Commonality
• Both aspire to raise identity assurance levels
• Neither transitions to an interoperable token type (e.g.,
SAML, OAuth)
• Both use a unique public key pair for each web site (RP)
• Both an enable an RP to perform device attestation
– UAF – unique key pair per device
– U2F – unique public key per “batch” of hardware tokens
• Both leverage distributed authentication
– Neither requires an authentication authority
– Good for scalability
– The UAF service may need it for device registration and
user enrollment
37. UAF and U2F Commonality
• UAF and U2F mostly require browser
interaction
– Google is working on app-specific
implementations
• UAF more difficult - introduces integration
issues with mobile applications
– No defined way to interact with applications to
provide SSO, particularly iOS
38. Potential UAF and U2F Integration
• UAF and U2F leverage common NFC secure
element
– Improves identity assurance
– PC, laptop: USB
– Mobile: NFC
• UAF FIDO client integrates more deeply with
Google Chrome
• U2F and UAF leverage a common device
attestation service