Online security, strong authentication and One time Password technology has been too expensive for too long. Open source using OATH algorithms provide security without being prohibitively expensive.
2. Why the need for
Strong Authentication?
• Fraud continues to skyrocket
• 10 Million Americans were victims of fraud
last year
• This amounts to over $3.5B of online fraud
last year alone
• Hacking into web sites and stealing passwords
continue to be a main focus of fraudsters
3. Cyber Crime –
A Growing Global Threat
What do these
companies have
in common?
4.
5. Market size & projections
• Gartner says global IT spending is projected to
increase to $170B
• PwC reports that US information security
budgets have grown at almost double the rate
of IT budgets over the last two years
• $1M+ cybersecurity sales to end-users are on
the rise; according to FBR & Co. (Arlington, VA
IB and M&A advisory firm) they have increased
by 40% over last year
• The only slowdown is due to consolidation and
acquisitions
The worldwide cybersecurity market estimates range
from $75B in 2015 -- to $170B by 2020
6. Where did we come from?
• 1961 First computer generated password at MIT
7. Some Statistics
• In 2015 There were 781 Breaches in all categories:
Finance, Government, Healthcare, Education, Business
• 169,068,506 RECORDS BREACHED
• 2005 -2015
• # of Breaches = 5,810 Breaches
• # of records = 847,807,830
• Data credit card companies
– United States represents 27% of world wide credit card
volume
– And anywhere from 46%->50% of the fraud
10. 2015:
Bigger Breaches, Bigger Failures
Premera BlueCross
(3/18/2015)
11M Bank accounts
Social Security numbers
Anthem, Inc.
(02/05/2015)
80M Social Security numbers
Email addresses
Physical addresses
OPM
(06/09/2015)
21.5M+ 1.1M
fingerprints
Personal names
Date and place of birth
Social Security numbers
Complete background
security application
AshleyMadison.com
(07/20/2015)
50M Personal names
Email addresses
Credit card numbers
Physical addresses
11. Trends
• EMV (Chip and pin) is being rolled out in the US.
Last October 2015, the credit card issuing
companies implemented liability shift to
merchants. Many merchants still not accepting
the Chip Card.
• Fraud will move from POS and onto online
transactions as it has in other countries and
regions, Europe, UK, Canada.
• Considering that mobile payment and e-
commerce are growing exponentially….online
transactions are a huge attraction to fraudsters.
12. Why now?
Pressure is mounting to stop the leakage of secure information
• Rapid growth of attacks (66% CAGR)
• Information that needs protection is growing
• Company reputation is at risk
• Leadership reputation is at risk (it’s personal)
• Customers and partners will demand it
• PII regulation is coming (already in Europe)
• Shareholders will demand it to protect profits
• Strong security is a competitive advantage
• Expense of managing exposure is no longer negligible
13. Authentication Methods
• Simple Passwords
• Challenge Response
• One time Passwords
• Public Key Encryption
• Single Sign On
• Adaptive Authentication
• Biometrics
• Push Technologies
• SMS
• H/W Tokens
• S/W Tokens
Bill Gates declared the
Password dead in
2004
15. The Open Authentication Initiative
(OATH) is a group of companies
working together to help drive the
adoption of open strong
authentication technology across all
networks.
Q1
16. OATH History
• Created 9 years ago to provide open source strong
authentication.
• It is an industry-wide collaboration that..
• Leverages existing standards and creates an open
reference architecture for strong authentication
which users and service providers can rely upon, and
leverage to interoperate.
• Reduces the cost and complexity of adopting strong
authentication solutions.
Q1
17. OATH : Background
Networked entities face three major challenges today.
•Theft of or unauthorized access to confidential data.
•The inability to share data over a network without an
increased security risk limits organizations.
•The lack of a viable single sign-on framework inhibits the
growth of electronic commerce and networked operations.
Q1
18. OATH : Justification
• The Initiative for Open Authentication (OATH) addresses
these challenges with standard, open technology that is
available to all.
• OATH is taking an all-encompassing approach, delivering
solutions that allow for strong authentication of all users
on all devices, across all networks.
Q1
20. OATH Reference
Architecture: Establishing
‘common ground’
• Sets the technical vision for
OATH
• 4 guiding principles
– Open and royalty-free specifications
– Device Innovation & embedding
– Native Platform support
– Interoperable modules
• v2.0
– Risk based authentication
– Authentication and Identity Sharing
Q4
21. Standardized
Authentication Algorithms
HOTP OCRA T-HOTP
-Open and royalty free specifications
-Proven security: reviewed by industry experts
-Choice: one size does not fit all
-Event-based OTP
-Based on HMAC,
SHA-1
-IETF RFC 4226
-Based on HOTP
-Challenge-response
authentication
-Short digital signatures
-IETF RFC 6287
-Time-based HOTP
-IEF RFC 6238
23. Token Innovation and Choice
Multi-Function Token
(OTP & USB Smart Card)Soft OTP Token
OTP Token
OTP
embedded
in credit
card
OTP soft token on
mobile phones
HOTP applets on SIM cards
and smart-cards
OTP embedded in flash
devices and USB Keys
HOTP
100+ shipping products
Q11
24. Certification Program
• Certification Adoption
– More products added in 2014-2015
– Numerous products have been certificated from over
30 companies!
• HOTP Standalone Client: 14
• TOTP Standalone Client: 12
• HOTP Validation Server: 11
• TOTP Validation Server: 9
– http://www.openauthentication.org/certification/pro
ducts
26
25. OATH Review
27
Client OTP API
OATH HTML Tags
HMAC
OTP
(HOTP)
RFC* Complete In progress/draft published
Portable Symmetric
Key Container
Provisioning
Protocols
ThraudReport
Validation
Protocol
Challenge-
Response
(OCRA)
Time-
Based
(TOTP)
Certification
Token Identifiers Namespace
TokenID
Extensions
26. Work Completed in 2015
• Algorithm profile update
– Proposal and get RFC status
• Expand the certification program
– Additional profiles
• Provisioning server (DSKPP)
• Software token
– Test enhancements
• VALID specification
– Adoption support and work completion
• OTP usage with NFC
• SAML 2.0 OTP authentication URI?
28
27. OATH Authentication
Framework 2.0
Provisioning
Protocol
Authentication
Protocols
Token
Interface
Validation
Protocols
Client Framework
Provisioning Framework
Validation Framework
User
Store
Token
Store
AuthenticationToken
HOTP
Challenge/
Response
Certificate
ClientApplications
Applications
(VPN, Web
Application,
Etc.) Validation
Services
Provisioning
Service
Credential
Issuer(s)
Time
Based
Bulk Provisioning
Protocols
Risk Evaluation
& Sharing
Risk
Interface
Q4
AuthenticationandIdentity
SharingModels
Authentication
Methods
28. Credential Provisioning
Token manufacturer offline model
• Portable Symmetric Key Container standard
format (PSKC Internet-Draft)
Dynamic real-time model
• Dynamic Symmetric Key Provisioning Protocol
(DSKPP Internet-Draft)
• OTA provisioning to mobile devices, or online to
PC/USB
IETF KeyProv WG
• Current RFC submissions
Q5
29. Objectives
• Understand the full lifecycle support needed
for strong authentication integration
• Learn different approaches to supporting
strong authentication in your applications
• Take away with the best practices for enabling
strong authentication in applications
30. Certification Program
• The OATH Certification Program
– Intended to provide assurance to customers that products
implementing OATH standards and technologies will function as
expected and interoperate with each other.
– Enable customers to deploy ‘best of breed’ solutions consisting of
various OATH ‘certified’ authentication devices such as tokens
and servers from different providers.
• Introduced 2 Draft Certification Profiles at RSA
– Tokens – HOTP Standalone Client
– Servers – HOTP Validation Server
• 10 Additional Profiles to be introduced throughout the
year
31. Typical Application Scenario
Transaction authentication & Signing
• Log on to Bank’s web site
• Give user name and password
• Bank sends a challenge number used to create pin
• User enters number into card and new secure pass code is
generated
• User then submits this new number to the bank’s web site
• Transaction is then authorized by the bank
33. Why is OTP Still Expensive?
• More the 50 companies offer One Time
Password (OTP) solutions in various types and
flavors….
– Soft tokens
– Hard tokens
– Credit Card
– USB tokens
– SMS
– Time based, Event Based, Challenge/response
34. OTP a Commodity?
• Cost per user has consistently been too high,
manufacturers continue to have a business
model that overcharges the user.
• Competition should drive costs down but it
hasn’t happened……until now
35. Modular Design of LinOTP
• LSE LinOTP is an innovative and flexible OTP platform for
strong user authentication.
• Open Source OTP is available for FREE:
• All OATH tokens are supported with SVA – Smart Virtual
Appliance
• Only cost is for support and maintenance
36. Works Everywhere
• One Time passwords offer the advantage that they do not
require client-side driver.
• Open, generally accepted algorithms in particular are
integrated for OTP generation, Listed in RFC4226 algorithm
HMAC-OTP.
• LinOTP also supports various other open and proprietary
token and procedures. The sending of one-time passwords (as
mTAN) via SMS or email is also a function.
• The optional use of hardware tokens, which calculate the
one-time password for the user, can help to increase security
further.
39. Plugin Based
• Enable two-factor authentication in your existing
third party authentication server for user
password
– Your application codes don’t need to change
– Out of box strong authentication support in your
existing third party authentication server
• Integration Connectors available from authentication
solution vendors, e.g. RSA, Symantec
– e.g. CDAS plugin for IBM Access Manager
– Develop your customized plugin for your existing third
party authentication server
41. Risk Based
Authentication Architecture
• Risk-based
authentication
– Convenient
authentication for low risk
transactions
– Stronger authentication
for higher risk
transactions
• OATH will define
standardized
interfaces
– Risk Evaluation
– Sharing fraud information
(ThraudReport)
Validation
client
Validation
framework
Risk
evaluation
and sharing
Fraud information
exchange network
User
store
Authentication protocol
Validation
protocol
Risk
interface
Fraud
Network
Interface
(Thraud)
Validation
client
Validation
framework
Risk
evaluation
and sharing
Fraud information
exchange network
User
store
Authentication protocol
Validation
protocol
Risk
interface
Fraud
Network
Interface
(Thraud)
42. Authentication and Identity
Sharing
• Promotes use of single credential across
applications
– Force multiplier!
• Multiple approaches
– One size does not fit all
• Models that leverage identity sharing
technologies
– Kantara, SAML, OpenID, etc.
• Models to enable sharing of 2nd
factor
authentication only
– Simpler liability models
43. Authentication Sharing – Centralized Token
Service model
• Token is validated
centrally in the
validation service
– Same token can be
activated at multiple
sites
• Easy integration for
application web site(s).
– Can leverage OATH
Validation Service
work!
Q8
44. Authentication Sharing – Distributed
Validation Model
• Inspired by ‘DNS’
• Rich set of deployment
models
– Standalone system
can join the network
by publishing token
discovery information
• There needs to be a
central Token Lookup
Service.
– OATH considering
developing Token
Lookup protocol.
Q8
46. Identity Federation & OATH
• Enables user to use same
identity across website(s)
– Traditional federation
(Liberty)
– User-centric models (OpenID,
CardSpace)
• Single Identity becomes more
valuable
– Needs to protected using
strong authentication
OATH: promote the user of strong
authentication with these technologies!
47. What about Technology
beyond Passwords?
• Adaptive Authentication
• Biometrics
– Fingerprint
– Iris Scan
– Voice
– Facial Recognition
• Biometrics are great but they are irrevocable
48. What about Stronger
Passwords?
• We have more passwords than ever before –
ave. # of passwords used daily is >25.
• Passwords attempt to answer the question: is
this really you?
• Knowing what to type doesn’t authenticate you.
If that worked, fraudsters wouldn’t be
successful.
• Behavior analytics confirms who you are.
• Eventually, you won’t have to remember a
password at all – simply type a phrase, and
based on your behavior, will confirm that it is
really you.
60%
of Internet users have
the same password for
more than one web
account
source: “Adults’ Media Use and
Attitudes Report 2013” – Ofcom
49. The Behavioral Advantage
All the Benefits, None of the Drawbacks
Can’t be
Stolen or
Shared
Identifies the
Person
Gradient
Results Revocable
Nothing to
Remember
No
PII
No Special
Equipment
Easy to
Deploy
Low
Cost Usability
Behavioral
Biometric
Passwords
HW Tokens
SW Tokens
Fingerprint
Facial
recognition
Iris Scan
Voice
Recognition
Good
Okay
Poor
Key Attributes
50. The Time is Now for
Behavioral Analytics
• Security technologies using white list/black list rules or
signature-based strategies are failing to block increasingly
sophisticated attackers
• Network activity logs are generated and then ignored because
human analysts capable to act on them are not available
• Attackers are shifting to targeting individuals to trick or coerce
them into giving up their usernames and passwords
• Fraudsters are become increasingly proficient at assembling full
data records from partial information stolen in earlier breaches
Increase in recommendations by advocates of
behavioral analytics -- but what is driving this trend?
51. Behavioral Login
Using behavior to secure the login,
the latest focal point for cyber
attacks.
Provides…
•security without PII
•frictionless user experience
•control over subscription sharing
With Nothing…
•to possess, or lose (fobs, smartcards)
•to remember (security questions)
•to fail (devices/readers, cell phones, etc.)
Over
300 million
records breached
in 2014, in the
United States
alone.
source: data-breach.silk.co
52. Who is developing it?
• Google to offer Android login based on
behavioral biometrics by end of year
• Telesign in partnership with BehavioSec just
Announced
• Apple possible but still under wraps
53. Driving a fundamental shift fromDriving a fundamental shift from
proprietary to open solutions!proprietary to open solutions!
An industry-wide problem mandates an industry wide solution
• Strong Authentication to stop identity theft across all the networks
A reference architecture based on open standards
• Foster innovation & lower cost
• Drive wider deployment across users and networks
Minimal bureaucracy to get the work done!
Summary
54. How to Get Involved
• Visit the OATH website
– Download Reference Architecture v2
– Download and review draft specifications
• Engage - contribute ideas, suggestions
– Review public draft specifications
– Get involved in developing specifications
• Become a member!
– 3 levels - Coordinating, Contributing, Adopting
– Become an active participant
55. Open Source Implementation
• RADIUS Client
– Java
• http://wiki.freeradius.org/Radiusclient
– .NET
– C/C++
• Authentication Server with OTP Support
– Radius server
• http://www.freeradius.org/
• Need to add OTP auth plugin
– Triplesec
• http://cwiki.apache.org/DIRxTRIPLESEC/
56. References and Resources
• Initiative for Open AuTHentication (OATH)
– http://www.openauthentication.org
• HOTP: An HMAC-Based One-Time Password Algorithm – RFC
4226
– http://www.ietf.org/rfc/rfc4226.txt
• TOTP: Time Based One Time Password Algorithm – RFC 6238
– http://tools.ietf.org/html/rfc6238
• OCRA: OATH Challenge/Response - RFC 6287
– http://tools.ietf.org/html/rfc6287
• OATH Reference Architecture
– http://www.openauthentication.org
[Siddharth]
[sv] updated based on current status.
This picture shows the work items that OATH plans to deliver in 2006. Each work item is discussed in detail in a future slide.
Client OTP API – start TFG meeting, and work on it
VALID spec – discuss in TFG for update
[Siddharth]
[ Talk about the 4 focus areas viz.
Client Framework
Validation Framework
Provisioning Framework
Common Data models]
This slide provides a high level view of the OATH reference architecture.
Client Framework: The client framework enables a range of authentication methods, tokens, and protocols to be supported when deploying strong authentication across an enterprise or service provider infrastructure. The client framework allows for standards-based integration of multiple forms of strong authentication implemented using either existing or new authentication token technologies, and communicated using standard authentication protocols.
Provisioning Framework: The provisioning and management module is responsible for provisioning and managing the entire lifecycle of software modules and/or security credentials to an authentication device. The purpose of this process is to bring the device from a “clean state” to a state where it can be used as an authentication token e.g. provisioning of certificates, or provisioning of an instance of an OTP token in software or a connected token. The goal of the Provisioning architecture is to accommodate secure and reliable delivery of software and/or security credentials to any client device, using standards-based provisioning protocols or programmatic interfaces.
Validation Framework: The validation framework is responsible for validation of the different types of authentication credentials. Various applications that need authentication (such as VPN gateways or web applications) communicate with the validation module using standard validation protocols to authenticate the end-user. The goal of the Validation framework is to enable vendors to write custom validation modules and enables enterprises to deploy multiple types of authenticators in the same infrastructure.
User Store: User store is responsible for storing all end-user profile information. This will include information such as a unique user identifier (username); profile information such as address, first name, last name, etc.; application specific attributes; and finally it may also store some authentication information such as password, token information, etc. User store is typically an LDAP directory or in some cases it could be a database.
[Stu, #5]
[Siddharth]
Question (before showing the picture) – How many folks in the audience have multiple authentication technologies deployed in their infrastructure???
The OATH Validation framework is an architecture that will enable vendors to write custom validation modules and enables enterprises to deploy multiple types of authenticators in the same infrastructure. Additionally, the validation framework will enable organizations to deploy multiple protocol handlers such as RADIUS, OCSP, WS-Security, etc.
The OATH validation framework will benefit the organization that deploys strong authentication by enabling use of multiple authentication methods in the same infrastructure, thereby enabling phased rollout of strong authentication solutions across a wider set of applications and user groups.
As shown in the figure above, the validation framework will consist of the following sub-modules:
• Protocol Handler framework: This framework will enable deployment of multiple protocol handlers
• Validation Handler framework: This framework will enable deployment of multiple validation handlers. Validation handlers: Each validation handler will support validation of a particular instance or flavor of an authentication method e.g. HOTP, RSA SecurID, etc.
•Infrastructure Layer: The infrastructure layer will provide some of the common functionality that can be used by the various other components in the validation system.
Salient Features
• Multiple authentication methods
• Multiple validation protocols
• Multiple validation clients
• Standardized Configuration
• Framework for logging operational and audit events
[Stu, Q3]
Architecture purpose: technical framework and roadmap for creating a set interoperable modules for strong auth.
Audience: architects and IT managers, for use by both vendor community and user organizations looking to deploy auth solutions.
Questions to ask - So, how many people have heard or actually downloaded the OATH reference architecture?
[Stu, #8]
[Stu, #8]
[Stu, #8]
Adoption requires fundamental shift from proprietary to open solutions
Interoperable hardware and software components
Built on existing technology and protocol – 90% of the work is already done
Enable customers to leverage current application and network infrastructure
The only way to build a more secure internet
Push complexity to the cloud and increase scalability
Requires collaborative effort to address this challenge
Collaboration among authentication credential providers to create an open platform for stand alone and embedded credentials
Endorsed and supported by leading network and application product providers
Examples of this again – PC v Mac, Token Ring v IP, more examples here