SlideShare una empresa de Scribd logo

2012-03 MultiFactor Not Just For Auditors

Raleigh ISSA
Raleigh ISSA

2012-03 MultiFactor Not Just For Auditors by Rob Carter, Consultant at Duke Univeristy

Tecnología
1 de 24
Descargar para leer sin conexión
Multifactor AuthN: It Isn’t Just for Auditors Anymore Rob Carter & Shilen Patel, Duke University Fall, 2011 Internet2 Member Meeting
But first, a few words from our security office...
Passwords are the problem Password phishing 5% success rate spearphishing Some users have had local passwords speared repeatedly
Passwords are the problem Hash crackers & GPUs SO demo: random pw’s on a single std. video card 5-char: 4 min, 8-char: 45 days Linear decomp, scaling $25k ==> 8-char ~ 8 hrs Password reuse + one weak external system...
...and a word from our auditors...
You’ve Got Policy Problems Institutional expiration, complexity policies considered too weak Crack efficiency rises faster than password policies harden maybe always will... kpmg(sis,erp) ~= FAIL
...and a few from our users...
Passwords are a different kind of problem... You already make my password impossibly hard If I have to change it frequently, I’ll have to write it down If I have to pick one suddenly, it’ll be weak Isn’t the system already secure?
Guess where that leaves us? Auditors say we need to do something Security says we need to do it quickly Users won’t accept strict password policies
We’ve no way out but up... Multifactor AuthN seems the answer Physical factors aren’t phishable Auditors love N- factor AuthN Security Office loves it, too
Flexibility is critical Not all application contexts have the same requirements or capabilities Institutional security goals often run counter to applications’ ease-of-use goals Everybody needs a little give and take...
...especially the users. Tenured Professor: “You use the same password for my HR benefits that I give my secretary so she can read my email. This is an outrage!” Something’s definitely an outrage, here, but... ...maybe we can use this as a carrot to the auditors’ stick... ...but it’ll require more than the traditional approach to multifactor authentication...
Traditional single-mode multifactor is a non-starter Authmech = f(organization) one-size-fits-all -- that always works University users aren’t exactly a captive audience Second factors are always attractive targets (viz RSA) -- want to avoid lock-in
Multimode solution seems more attractive... Authmech = f(app,user) (or even f(app,user,location)) f() = Max(user(app),app(user),institution(app,user)) Prof W. can self-select a higher bar for his logins to his blog, while we can raise the bar for logins to grant mgt. Another RSA-type hack could force us to change mechanisms... ...and besides... it’s good enough for Google Accounts
Low-hanging fruit strategy Start with the IDP 700+ on-campus SPs and growing already If we’re careful, most SPs won’t need to do anything and their users won’t notice anything Infrastructure behind the IDP can be reused New apps are largely web-based; older apps continue to grow better web interfaces
But shouldn’t it be the SP’s problem? Perhaps, but... ...SP<->IDP conversation lacks full negotiation, so... ...negotiation would require multiple SP round-trips,... ...and would likely require app awareness,... ...but application authors aren’t usually that savvy
Guess where we are again?
New IDP external authmech Pluggable interface for custom credential verifiers Auth Svc Auth Svc Recognizes different strength values for Plug-In Plug-In Plug-In Rules different credential Plugin API Custom multifactor "external" authmech types IDP Login Page (jsp) Prefs Computes required strength based on claimed identity and SP making request.
New IDP external authmech IDP Login Extensions ajaxy and context Auth Svc Auth Svc sensitive authN options Plug-In Plug-In Plug-In depend on user Rules Plugin API Custom multifactor "external" authmech capabilities and preferences IDP Login Page (jsp) Prefs constrained feedback to defeat incremental attacks
New IDP external authmech Data repositories for rules and preferences Auth Auth Svc Svc IDP stores mech strength rules locally Plug-In Plug-In Plug-In LDAP stores user, Rules Plugin API Custom multifactor "external" authmech SP specific data IDP Login Page (jsp) Prefs Considering Grouper as replacement for one or both to enhance generality
How’re y’gonna keep ‘em on the farm? Auth Auth SSO becomes an issue Svc Svc across disparate SPs Plug-In Plug-In Plug-In Built-in previous Plugin API Rules session handler Custom multifactor "external" authmech SSO Handler doesn’t understand IDP Login Page (jsp) Prefs strength We disable it and supply SSO in the SP1 SP2 external authmech itself
How’re y’gonna keep ‘em on the farm? Record authN strength Auth Svc Auth Svc factor (sum) in login context (auth method) Plug-In Plug-In Plug-In Rules SSO implements >= Plugin API Custom multifactor "external" authmech semantics -- SSO SSO Handler succeeds iff previous IDP Login Page (jsp) Prefs session method strength >= current requirement SP1 SP2 On SSO failure, require all new creds from user
Novel Use Cases Sometimes a password may not be required (WS) If no one specifies anything, UI can look just like before If an SP explicitly lowers its expectations, new options arise Default numeric strength requirement = 1 (equiv to “password only”) Allow OpenID gateway as option for SPs requiring strength < 1
Demos, Demos, Demos

Recomendados

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Turning Developers into Testers
Turning Developers into TestersTurning Developers into Testers
Turning Developers into TestersTechExeter
 

Recomendados

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Turning Developers into Testers
Turning Developers into TestersTurning Developers into Testers
Turning Developers into TestersTechExeter
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsPositive Hack Days
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Stephan Hochdörfer
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 

Más contenido relacionado

La actualidad más candente

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsPositive Hack Days
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Stephan Hochdörfer
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 

La actualidad más candente (20)

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking Systems
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Testing untestable code - oscon 2012
Testing untestable code - oscon 2012Testing untestable code - oscon 2012
Testing untestable code - oscon 2012
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 

Similar a 2012-03 MultiFactor Not Just For Auditors

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Taming Beastly Web Applications with Server-Side OSGi
Taming Beastly Web Applications with Server-Side OSGiTaming Beastly Web Applications with Server-Side OSGi
Taming Beastly Web Applications with Server-Side OSGimrdon
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01Paul Madsen
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 
Embedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP applicationEmbedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP applicationMariano Luna
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APILinkedIn
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 

Similar a 2012-03 MultiFactor Not Just For Auditors (20)

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W university
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Taming Beastly Web Applications with Server-Side OSGi
Taming Beastly Web Applications with Server-Side OSGiTaming Beastly Web Applications with Server-Side OSGi
Taming Beastly Web Applications with Server-Side OSGi
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheet
 
Embedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP applicationEmbedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP application
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an API
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 

Más de Raleigh ISSA

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh ISSA
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh ISSA
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secRaleigh ISSA
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesRaleigh ISSA
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014Raleigh ISSA
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013Raleigh ISSA
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013Raleigh ISSA
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013Raleigh ISSA
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013Raleigh ISSA
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith PiguesRaleigh ISSA
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013Raleigh ISSA
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013Raleigh ISSA
 

Más de Raleigh ISSA (20)

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slides
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info sec
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slides
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slides
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

2012-03 MultiFactor Not Just For Auditors

  • 1. Multifactor AuthN: It Isn’t Just for Auditors Anymore Rob Carter & Shilen Patel, Duke University Fall, 2011 Internet2 Member Meeting
  • 2. But first, a few words from our security office...
  • 3. Passwords are the problem Password phishing 5% success rate spearphishing Some users have had local passwords speared repeatedly
  • 4. Passwords are the problem Hash crackers & GPUs SO demo: random pw’s on a single std. video card 5-char: 4 min, 8-char: 45 days Linear decomp, scaling $25k ==> 8-char ~ 8 hrs Password reuse + one weak external system...
  • 5. ...and a word from our auditors...
  • 6. You’ve Got Policy Problems Institutional expiration, complexity policies considered too weak Crack efficiency rises faster than password policies harden maybe always will... kpmg(sis,erp) ~= FAIL
  • 7. ...and a few from our users...
  • 8. Passwords are a different kind of problem... You already make my password impossibly hard If I have to change it frequently, I’ll have to write it down If I have to pick one suddenly, it’ll be weak Isn’t the system already secure?
  • 9. Guess where that leaves us? Auditors say we need to do something Security says we need to do it quickly Users won’t accept strict password policies
  • 10. We’ve no way out but up... Multifactor AuthN seems the answer Physical factors aren’t phishable Auditors love N- factor AuthN Security Office loves it, too
  • 11. Flexibility is critical Not all application contexts have the same requirements or capabilities Institutional security goals often run counter to applications’ ease-of-use goals Everybody needs a little give and take...
  • 12. ...especially the users. Tenured Professor: “You use the same password for my HR benefits that I give my secretary so she can read my email. This is an outrage!” Something’s definitely an outrage, here, but... ...maybe we can use this as a carrot to the auditors’ stick... ...but it’ll require more than the traditional approach to multifactor authentication...
  • 13. Traditional single-mode multifactor is a non-starter Authmech = f(organization) one-size-fits-all -- that always works University users aren’t exactly a captive audience Second factors are always attractive targets (viz RSA) -- want to avoid lock-in
  • 14. Multimode solution seems more attractive... Authmech = f(app,user) (or even f(app,user,location)) f() = Max(user(app),app(user),institution(app,user)) Prof W. can self-select a higher bar for his logins to his blog, while we can raise the bar for logins to grant mgt. Another RSA-type hack could force us to change mechanisms... ...and besides... it’s good enough for Google Accounts
  • 15. Low-hanging fruit strategy Start with the IDP 700+ on-campus SPs and growing already If we’re careful, most SPs won’t need to do anything and their users won’t notice anything Infrastructure behind the IDP can be reused New apps are largely web-based; older apps continue to grow better web interfaces
  • 16. But shouldn’t it be the SP’s problem? Perhaps, but... ...SP<->IDP conversation lacks full negotiation, so... ...negotiation would require multiple SP round-trips,... ...and would likely require app awareness,... ...but application authors aren’t usually that savvy
  • 17. Guess where we are again?
  • 18. New IDP external authmech Pluggable interface for custom credential verifiers Auth Svc Auth Svc Recognizes different strength values for Plug-In Plug-In Plug-In Rules different credential Plugin API Custom multifactor "external" authmech types IDP Login Page (jsp) Prefs Computes required strength based on claimed identity and SP making request.
  • 19. New IDP external authmech IDP Login Extensions ajaxy and context Auth Svc Auth Svc sensitive authN options Plug-In Plug-In Plug-In depend on user Rules Plugin API Custom multifactor "external" authmech capabilities and preferences IDP Login Page (jsp) Prefs constrained feedback to defeat incremental attacks
  • 20. New IDP external authmech Data repositories for rules and preferences Auth Auth Svc Svc IDP stores mech strength rules locally Plug-In Plug-In Plug-In LDAP stores user, Rules Plugin API Custom multifactor "external" authmech SP specific data IDP Login Page (jsp) Prefs Considering Grouper as replacement for one or both to enhance generality
  • 21. How’re y’gonna keep ‘em on the farm? Auth Auth SSO becomes an issue Svc Svc across disparate SPs Plug-In Plug-In Plug-In Built-in previous Plugin API Rules session handler Custom multifactor "external" authmech SSO Handler doesn’t understand IDP Login Page (jsp) Prefs strength We disable it and supply SSO in the SP1 SP2 external authmech itself
  • 22. How’re y’gonna keep ‘em on the farm? Record authN strength Auth Svc Auth Svc factor (sum) in login context (auth method) Plug-In Plug-In Plug-In Rules SSO implements >= Plugin API Custom multifactor "external" authmech semantics -- SSO SSO Handler succeeds iff previous IDP Login Page (jsp) Prefs session method strength >= current requirement SP1 SP2 On SSO failure, require all new creds from user
  • 23. Novel Use Cases Sometimes a password may not be required (WS) If no one specifies anything, UI can look just like before If an SP explicitly lowers its expectations, new options arise Default numeric strength requirement = 1 (equiv to “password only”) Allow OpenID gateway as option for SPs requiring strength < 1