SlideShare una empresa de Scribd logo

Web authentication

Descargar como PPT, PDF
P
Pradeep J V
Educación
1 de 24
Web Authentication By Pradeep J.V 1
Web Authentication • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Authentication is accomplished by: – Something the user knows • e.g., password, PIN, pattern – Something the user has • e.g., ATM card, smart card – Something the user is • e.g., biometric characteristic, such as a fingerprint. 2
Password Authentication • It is based on “something the user knows”. • Advantages: – Passwords require no special software on the users' computer – Passwords authenticate the user directly because only the user knows the password. 3
Password Authentication • Drawbacks: – Users can't remember strong passwords, so they write them down. – When passwords are forgotten, the password must be recovered, which is either expensive or insecure. – Users can share passwords. Revenue is lost when multiple users share an account. – An administrator can discover the password and use it to masquerade as the user. – The user must have a unique password for each site. 4
Biometric Authentication • Authenticates a user through a unique physical characteristic. • Typically biometrics used are fingerprints, voice, face, typing pattern, etc. 5
Biometrics • Advantages: – Biometrics directly authenticates the person, not indirectly through a password or token. – Biometrics features are difficult to steal; thereby making biometric authentication very strong. • Drawbacks: – User's computer must include the appropriate biometric sensor and software. Reliable sensors are expensive. – False positives(wrongly accepting an invalid user) and false-negatives (denying a valid user). 6
Token based authentication • Authentication through “something the user has”. • Example of a hardware/software token is RSA SecureID. 7
Tokens • Advantages: – Tokens prevent a thief with a stolen password from accessing the web site. – Tokens prevent accounts from being shared since the token must be duplicated. – Tokens require no special software on the user's computer. • Drawbacks: – Tokens are expensive and must be replaced or refurbished every few years. – A lost token prevents a valid user from accessing the web site, which disrupts business or commerce. – Tokens are inconvenient since the user must manually enter the value of the token as well as the password. 8
PKI - Public Key Infrastructure • PKI is a specific implementation of asymmetric cryptography. • Relies on the use of digital certificates that are issued by certificate authorities as a means to bind a user to an assigned key pair. • A public key.   This is something that you make public - it is freely distributed and can be seen by all users. • A corresponding (and unique) private key.   This is something that you keep secret - it is not shared amongst users. 9
Data encryption using PKI 10
Digital signature using PKI 11
Key management in PKI 12
Key management in PKI (contd) 13
HTTPS • Most popular usage example of PKI is the HTTPS (Hypertext Transfer Protocol Secure) protocol. 14
Public Key Infrastructure • Advantages: – Every modern browser has the built-in capability for public key authentication. – Public key authentication can be automatic and even transparent to users. – Public key authentication is much stronger than passwords, because the authentication “secret” is stronger and is not shared with web sites. – A single certificate can be used for many web sites, since the “secret” is not shared. 15
Public Key Infrastructure • Drawbacks: – The complexity of the infrastructure: • The PKI model requires that the digital certificate binds the proofed identity of the user to the value of the user's public key. This seemingly simple requirement generates a great deal of Complexity: how is the identity proofed, who does the proofing, what are the liabilities if the identity proofing is wrong? – The PKI model focuses on identity and does not address the authorization 16
LDAP – Lightweight Directory Access Protocol • The Lightweight Directory Access Protocol is a protocol for querying and modifying directory running over TCP/IP. • It is not a directory, a database or an information repository. – It is a protocol to access directory services. • Single Sign On systems mostly use LDAP authentication. – User is authenticated at site1; then accesses a resource at site2 • Drawbacks – Web is loosely coupled, consisting of many security domains. SAML is a standard that governs the transfer of assertions between domains. 17
LDAP – Lightweight Directory Access Protocol 18 • Client requests to bind to server. • Server accepts/denies bind request. • Client sends search request. • Server returns zero or more directory entries. • Server sends result code with any errors. • Client sends an unbind request. • Server sends result code and closes socket.
OAuth – Open Authentication • A simple open standard for secure API authentication. • An authenticating protocol that allows internet users to approve an application to act on their behalf without the need for the user to share their password with the application. • In OAuth the service provider issues tokens and it involves the exchange of tokens/keys and signing of requests thus making it a secure protocol. 19
OAuth 20
OAuth Advantages: •You don't have to create another profile on the net. •Fewer passwords to remember. •Do not have to submit a password to your application if user does not completely trust us. •User can prevent access to the application from the OAuth provider. Drawbacks: •User can not tailor the profile for your application (would require additional development). •Can be a bit confusing for the user having to create an account with OAuth providers if he / she does not have an account there already. 21
References MSDN Security Development Center - http://msdn.microsoft.com/en-us/security/aa570330.aspx Authentication - http://www.authenticationworld.com/index.php PKI - http://pst.libre.lu/mssi-luxmbg/p3/01_base-lex-art.html LDAP – http://directory.apache.org/api/five-minutes- tutorial.html OAuth - http://oauth.net/about/ 22
QUESTIONS ? 23
THANK YOU 24

Recomendados

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICloudIDSummit
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - PresentationChristopher Thant
 

Recomendados

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICloudIDSummit
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - PresentationChristopher Thant
 
SolusDeck
SolusDeckSolusDeck
SolusDeckandreeabrodo
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Radu Vunvulea
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Getting value from IoT, Integration and Data Analytics
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionOption3
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfMobiloitte Technologies
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)Bjorn Hjelm
 
BlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewBlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewPad Kankipati
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to SolusSolus
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OpenIDFoundation
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demandpjpallen
 
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_UglySteve Markey
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 

Más contenido relacionado

La actualidad más candente

WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Radu Vunvulea
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionOption3
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfMobiloitte Technologies
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)Bjorn Hjelm
 
BlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewBlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewPad Kankipati
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to SolusSolus
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OpenIDFoundation
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demandpjpallen
 
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 

La actualidad más candente (20)

SolusDeck
SolusDeckSolusDeck
SolusDeck
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
 
Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
 
BlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewBlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overview
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to Solus
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demand
 
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_Ugly
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 

Destacado

Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnClément OUDOT
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Sylvain Maret
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementAhmad Maharma, PMP,RMP
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk managementejlp12
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5pankajsh10
 

Destacado (12)

Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 

Similar a Web authentication

Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transactionNishant Pahad
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCloudIDSummit
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
Introduction to Web Security
Introduction to Web SecurityIntroduction to Web Security
Introduction to Web SecurityKamil Lelonek
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity gppcpa
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SASrobbuddingh
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaOlajide Kuku
 
Zend server 6 compliance
Zend server 6 complianceZend server 6 compliance
Zend server 6 complianceYonni Mendes
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionSachintha Gunasena
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerceMentalist Akram
 

Similar a Web authentication (20)

Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Introduction to Web Security
Introduction to Web SecurityIntroduction to Web Security
Introduction to Web Security
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in Bangladesh
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
 
Zend server 6 compliance
Zend server 6 complianceZend server 6 compliance
Zend server 6 compliance
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Threats
ThreatsThreats
Threats
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
 

Último

Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 

Último (20)

Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 

Web authentication

  • 2. Web Authentication • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Authentication is accomplished by: – Something the user knows • e.g., password, PIN, pattern – Something the user has • e.g., ATM card, smart card – Something the user is • e.g., biometric characteristic, such as a fingerprint. 2
  • 3. Password Authentication • It is based on “something the user knows”. • Advantages: – Passwords require no special software on the users' computer – Passwords authenticate the user directly because only the user knows the password. 3
  • 4. Password Authentication • Drawbacks: – Users can't remember strong passwords, so they write them down. – When passwords are forgotten, the password must be recovered, which is either expensive or insecure. – Users can share passwords. Revenue is lost when multiple users share an account. – An administrator can discover the password and use it to masquerade as the user. – The user must have a unique password for each site. 4
  • 5. Biometric Authentication • Authenticates a user through a unique physical characteristic. • Typically biometrics used are fingerprints, voice, face, typing pattern, etc. 5
  • 6. Biometrics • Advantages: – Biometrics directly authenticates the person, not indirectly through a password or token. – Biometrics features are difficult to steal; thereby making biometric authentication very strong. • Drawbacks: – User's computer must include the appropriate biometric sensor and software. Reliable sensors are expensive. – False positives(wrongly accepting an invalid user) and false-negatives (denying a valid user). 6
  • 7. Token based authentication • Authentication through “something the user has”. • Example of a hardware/software token is RSA SecureID. 7
  • 8. Tokens • Advantages: – Tokens prevent a thief with a stolen password from accessing the web site. – Tokens prevent accounts from being shared since the token must be duplicated. – Tokens require no special software on the user's computer. • Drawbacks: – Tokens are expensive and must be replaced or refurbished every few years. – A lost token prevents a valid user from accessing the web site, which disrupts business or commerce. – Tokens are inconvenient since the user must manually enter the value of the token as well as the password. 8
  • 9. PKI - Public Key Infrastructure • PKI is a specific implementation of asymmetric cryptography. • Relies on the use of digital certificates that are issued by certificate authorities as a means to bind a user to an assigned key pair. • A public key.   This is something that you make public - it is freely distributed and can be seen by all users. • A corresponding (and unique) private key.   This is something that you keep secret - it is not shared amongst users. 9
  • 13. Key management in PKI (contd) 13
  • 14. HTTPS • Most popular usage example of PKI is the HTTPS (Hypertext Transfer Protocol Secure) protocol. 14
  • 15. Public Key Infrastructure • Advantages: – Every modern browser has the built-in capability for public key authentication. – Public key authentication can be automatic and even transparent to users. – Public key authentication is much stronger than passwords, because the authentication “secret” is stronger and is not shared with web sites. – A single certificate can be used for many web sites, since the “secret” is not shared. 15
  • 16. Public Key Infrastructure • Drawbacks: – The complexity of the infrastructure: • The PKI model requires that the digital certificate binds the proofed identity of the user to the value of the user's public key. This seemingly simple requirement generates a great deal of Complexity: how is the identity proofed, who does the proofing, what are the liabilities if the identity proofing is wrong? – The PKI model focuses on identity and does not address the authorization 16
  • 17. LDAP – Lightweight Directory Access Protocol • The Lightweight Directory Access Protocol is a protocol for querying and modifying directory running over TCP/IP. • It is not a directory, a database or an information repository. – It is a protocol to access directory services. • Single Sign On systems mostly use LDAP authentication. – User is authenticated at site1; then accesses a resource at site2 • Drawbacks – Web is loosely coupled, consisting of many security domains. SAML is a standard that governs the transfer of assertions between domains. 17
  • 18. LDAP – Lightweight Directory Access Protocol 18 • Client requests to bind to server. • Server accepts/denies bind request. • Client sends search request. • Server returns zero or more directory entries. • Server sends result code with any errors. • Client sends an unbind request. • Server sends result code and closes socket.
  • 19. OAuth – Open Authentication • A simple open standard for secure API authentication. • An authenticating protocol that allows internet users to approve an application to act on their behalf without the need for the user to share their password with the application. • In OAuth the service provider issues tokens and it involves the exchange of tokens/keys and signing of requests thus making it a secure protocol. 19
  • 21. OAuth Advantages: •You don't have to create another profile on the net. •Fewer passwords to remember. •Do not have to submit a password to your application if user does not completely trust us. •User can prevent access to the application from the OAuth provider. Drawbacks: •User can not tailor the profile for your application (would require additional development). •Can be a bit confusing for the user having to create an account with OAuth providers if he / she does not have an account there already. 21
  • 22. References MSDN Security Development Center - http://msdn.microsoft.com/en-us/security/aa570330.aspx Authentication - http://www.authenticationworld.com/index.php PKI - http://pst.libre.lu/mssi-luxmbg/p3/01_base-lex-art.html LDAP – http://directory.apache.org/api/five-minutes- tutorial.html OAuth - http://oauth.net/about/ 22

Notas del editor

  1. 1. Installing CA (Certificate Authority) root certificate - The browser vendor receives the CA root certificate from the CA; and distributes it as part of the browser installation package. 2. Signing Web server certificate - The Web server owner sends the certificate request to the CA. The CA, acting as the RA (Registration Authority), verifies the Web server identity. Then the CA signs (or issues) the Web server's certificate. 3. Validating Web server certificate - When you use the browser to visit the Web server, the browser, acting as the VA (Validation Authority), receives the Web server's certificate and validates it against the CA root certificate. If the browser finds no issue in the server certificate, it starts to use the public key embedded in the server certificate to secure the communication with the server.