Digital identity: Toward more convenient, more secure online authentication

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Digital identity: Toward more convenient, more secure online authentication"

Transcription

1 Digital identity: Toward more convenient, more secure online authentication For more than four decades, the familiar username/password method has been the basis for authentication when accessing computer-based services. It s a practical approach that provides an acceptable level of security when accessing a closed system, but today s online activities have evolved beyond what the username/ password format can effectively protect. A study, done by Microsoft more than five years ago, showed that the average American user had 25 online accounts secured using 6.5 passwords. It s reasonable to assume that those numbers have increased in recent years, and this raises serious questions about quality issues regarding passwords and the risks associated with insufficient security. The recent hack of 6.5 million LinkedIn user passwords illustrates the limits of username/password authentication techniques, especially when securing today s online services and protecting transactions of increasing value. Recent initiatives, such as the US National Strategy for Trusted Identity in Cyberspace, show government commitment to enforce cyber security. As stated in the National Security Strategy 1) in 2010, The Internet and e-commerce are keys to our economic competitiveness. This white paper introduces the concerns behind user authentication for online services. It describes various concepts and solutions for digital identity, high-security authentication methods, and digital signatures. 1) National Security Strategy, May 2010, The White House

2 Problems to solve To start with, let s go through a simple example, where we will identify the various steps that must be taken to initiate and utilize online service, and the risks that apply to these steps. Our example begins with Bob, who wants to join a club that will provide him with a wealth of online services, chat rooms, online storage and sharing, instant messaging, mail, localized information, and booking services. Bob has many friends who are already members of the club and he looks forward to sharing messages, information, and pictures with them and the other people he meets online. The first step for Bob is online registration to the club. He s asked to provide his real name or his online nickname, his age (or at least a verification that he is over the minimum required age for participation), and other pieces of information required by the service provider to fulfill their service provision and legal obligations. Based on the information Bob provides, the service provider then issues a token and a credential binding the token to Bob s identity. Bob starts using the service as soon as the registration process is complete. He securely authenticates presenting his token, which is used together with the credential to verify his identity. With the authentication process complete, the service provider grants Bob access so he can start enjoying his subscription services. The service provider offers a directory search function that lets subscribers see if their friends are also connected to the service. Bob uses the directory to look for and connect with his friends. Bob also sees that one of his favorite actresses, Alice, is also online, so he subscribes to get updates on her daily life. As Bob continues to use the service, the opportunities for theft continue to appear. For example, when Bob sees that a good friend has just received a promotion at work, he uses one of the club s localization services to send a celebratory bouquet of flowers from a nearby florist. The club asks Bob to sign his order in such a way that he can t pretend, at a later stage, that he was unaware of his responsibility to the florist or deny that he conveyed the transaction. It is essential that everyone involved in this example service -- Bob, his friends, the celebrities he follows, the shop owners he deals with -- remain protected from fraud and identity theft. Even in the few steps that we ve described, there have been several opportunities where security could fail. To begin, threats can occur at the registration process, especially if subscribers don t have to prove their real identities. Next, during the authentication process, the token or credential could be stolen or hacked from the service provider s server. Similar threats are present when Bob uses the clubs various services, such as ordering a delivery from a local florist. Fortunately, there are ways to reduce these threats and minimize the risk of identity theft. In the next sections, we look at various solutions, including a signature process that can be used with a non-repudiation feature when conducting online transactions. Registration Without appropriate controls, the registration process can t perform strong user authentication. At the same time, the user should only provide the identity attributes and traits required for the service provision, and these need to be treated confidentially to protect privacy. When service access is not anonymous, the registration process should involve an identity verification mechanism, but these mechanisms are not in widespread use. Services that require users to reveal their identity may use an identity verification mechanism during the registration process. In a purely online process, identity verification can be performed using credential guaranteed by a third party, a so-called credentialbroker. For instance, the service might ask the user to prove his identity with an electronic national identity card and a secret, or his bank card hosting a special application. The service provider can then use a third party for the identity check, and issue credentials based on this trusted verification.

3 In our example, Bob filled in all the details, with his identity attributes and traits, using a secured session on the service provider s web site, and proved his identity by using his identity card and PIN. Once Bob s genuine identity was confirmed by the authentication service associated with his identity card, the service provider issued the credential. The security checks used in the registration step have to be balanced against several factors. This typically includes the user s perceived security requirements (the user may not accept going through intensive background checks to register for a social network), the legal requirements (the minimum set of attributes that local laws require be collected), and service requirements. It s also important to note that a seamless, purely electronic registration process is likely to be perceived as more convenient than a system that uses the exchange of paper by mail, and this can increase the rate of registration completion. Authentication The authentication step lets the service provider assert that the user is who he pretends to be, and to grant or deny access to the service under that identity. A stronger authentication process increases the user s confidence in the service. For example, Bob will be more likely to use and promote the club if he is confident that his personal details and data, and the services he gained access to, are well protected. The user authentication process involves presenting an identity (name, nickname, certificate), and proof that a secret is shared between the user and the service provider. The authentication may be more or less secure depending on how the secret is protected. The proof exchanged between the parties may not be the secret (a password), but the result of a mathematical operation using the secret (in this case the secret may be called a key). In addition, the secret can be complemented by other factors, such as something that the user must have in his possession or something that authentically defines or belongs to the user (an identity trait). The authentication strength, that is, the confidence level that the user is who he claims to be, grows with the number of used factors. Single factor vs. multi-factor There are several authentication factors to consider: What the user knows: the secret (password, passphrase, PIN code, etc.) What the user owns: a token, PC, smartphone, etc. What the user is: the user s identity traits (fingerprints, voice, DNA, face, iris, vein network, etc.)

4 The very basic username/password authentication method uses only a what the user knows factor: it is a single-factor authentication method. A method based on a certificate (stored in a USB key or on a PC, for instance) and no password uses only a what the user owns factor: it is also a single-factor authentication method. A method based on a certificate but requires a password or a PIN code from the user is based on what the user owns and what the user knows factors: it is called a multi-factor authentication method. Multi-factor authentication is also called strong authentication. Strong authentication does not preclude the resistance or strength of the factors: A password can be weak, when susceptible to attacks using a dictionary or publicly known information about the user, or can be stronger when based on a long character suite that includes uppercase, lowercase, numeric, and symbol characters A key can be of varying length; the longer it is the more secure it is A certificate can be tamper-protected by smartcard hardware security, or stored on a PC or USB key where it is susceptible to duplication or tampering However, the overall security and access protection depends on the factor strength. This point needs to be taken into consideration when designing the system. Ownership factor The ownership factor ( what the user has ) needs to be deemed genuine by the service provider. Therefore, it is usually issued by the service provider at the registration step and consists of a certificate, comprising at a minimum of a user identifier digitally signed. When logging in to the service, the certificate is presented and the provider verifies the signature to assess its authenticity. In addition to being genuine, the ownership factor should be copy protected, to avoid duplication without the user knowledge. Knowledge factors As mentioned earlier, these are passwords, PIN codes, and other secrets that the user should present to prove his identity. As this information is confidential, it should not be exposed in any way. It makes sense to implement mechanisms where the secret is either verified locally in the terminal or at least used in such a way that it is not transferred as-is to the service provider. Inherence factors These who the user is factors are unambiguous and/or immutable data that identify a person. Biometrics data are among the inherence factors. Regardless of the location where this information is stored, it should be protected against modification, to insure they describe the right individual, and against unauthorized access, as they contain privacy critical information. Privacy Privacy of user identification data, as well as non-traceability of the services used is a key feature of the authentication service. To return to the Bob example, assume he s decided to use his club s credential to subscribe to another service. Bob doesn t want the new service to use non-required identity attributes to profile him. Nor does he want to be traced when browsing through the various services he has chosen. In some countries, there are regulatory bodies that ensure that user privacy is well implemented and respected before a service deployment is authorized. For instance, the default behavior of a system should not give it the ability to monitor user behavior at an atomic level. As a result, minimal disclosure policy, which only provides information required to exercise the service, should be the rule. For example, full name or national ID number are not used unless accessing a service that requires this information. Software vs. hardware (authentication) Software and hardware authentication differ in two main ways: Where the security credentials (the factor elements) are stored Where the authentication algorithm is executed

5 Software authentication refers to when there is no dedicated secure element to store the credentials and run the security algorithm, whereas hardware authentication describes cases where a dedicated element using secured smartcard technology hosts the critical items. Software authentication may also apply to implementations that use server storage and checking of credentials. Today s hardware tokens don t always take the form of a removable token such as a smartcard or a USB key - since more and more systems are equipped with an embedded secure element. Smartphones, tablet PCs and PCs that include Near Field Communication (NFC) can open the secure element for authentication applications. Software and hardware have their respective advantages and disadvantages, summarized in the table. Software Hardware Issuance Easy, possibly online More complex Security Low High Security portability Low High Privacy (by design) Low High Issuance Software has an advantage here as being purely dematerialized. The token is installed online and may be comprised of a certificate, key(s), an algorithm, and so on. Hardware is more complex to handle from an issuance perspective, since it involves personalization and the shipment of tokens. However, there are secured hardware tokens that the user can purchase in stores that can be personalized or bound to an online account. Security Software tokens are intrinsically easier to tamper with or duplicate. Since they reside on equipment connected to the internet, they are more subject to attacks by malware. Moreover, they are not protected by hardware firewalls and therefore are vulnerable to attacks of reverse engineering. Hardware tokens are based on smartcard technology, which is known for its tamper resistance. Information stored on the smartcard is protected by strong hardware firewalls and controlled by password or PIN code. The keys or credentials used by the authentication algorithms never leave the protected environment. Hardware tokens are also ideal for biometrics-based authentication, since user details are kept secure and private in a token and never exposed externally. Smartcard technology implements secure memories to store the critical data (PINs and keys) such that they cannot be read easily. The technology also implements countermeasures against various attacks on the cryptographic algorithms. With software implementations that use standard controllers and memories, the keys and PINs are stored in an unsecured environment. Furthermore, creating secure implementations of cryptographic algorithms poses a significant challenge. The security advantages of hardware tokens are acknowledged by the US National Institute of Standards and Technology (NIST) in their Electronic Authentication Guideline, where they state that hard cryptographic tokens are the only applicable technology for the highest level of authentication assurance 2). Security portability Hardware tokens offer intrinsically secure portability. A token can be used on any equipment providing this equipment can access it. These days, tokens with USB/contactless or smartcard ISO/contactless interfaces are available to secure PCs, NFC devices, and potentially smarttvs and game console devices. 2) Electronic Authentication Guideline, NIST Special Publication , December

6 Privacy (by design) Hardware tokens securely store the user s credentials and attributes, which can be verified locally without any unnecessary exposure to the outside world. Software authentication usually stores user attributes in a server belonging to the service provider, an identity provider or the service provider acting as identity provider for a third-party application. Storing attributes in a hardware token allows a straightforward minimum disclosure implementation that keeps all credentials under the user s direct control. It ensures that unnecessary details are kept hidden in the token and that only the required information is disclosed during the transaction. For instance, a service that requires the user to be more than 18 years old might provide the user with an older than 18 flag instead of asking for specific date of birth. Signature The signature is as important as authentication for maintaining the security of electronic transactions. In the real world, handwritten signatures are used to stipulate that all parties agree for a transaction. In case of dispute at a later stage, the signed contract serves as a reminder of the rights and duties the parties formally agreed to. Handwritten signatures are also used by people to verify and guarantee the validity of the information they provide when engaging in a business transaction or acknowledging the receipt of goods or information. Use cases for digital signature Online signature generation and verification respond to the same use cases as hand-written signatures in the real world. Our old friend Bob, a loyal tax-payer, has decided this year to fill out his tax forms online, through his government web-portal. He authenticates to the portal using his national electronic ID card and initiates a secure session over the internet connection. Once he has finished his tax declaration, Bob confirms that the editing session is complete. The tax declaration is then compiled in a document that Bob signs once he has given it a quick recheck, just as he would have done with a paper-based form. For the virtual digital signature process, Bob re-uses his national electronic ID card and confirms that he agrees with the document contents. This generates a formal signature that requires a specific validation, likely based on a new PIN code presentation. Once generated, the signature is sent to Bob s government portal and is appended to the declaration for future reference. Bob also receives a dated certificate of deposit, built using a similar signature process. Generally speaking, signature generation the proper document signing process- is employed when the user must give another party proof of acceptance or authenticity of a document. In the tax example, signing the online tax form engaged the responsibility of the signing party regarding the information provided. Signing a mail message will prove to the receiver that the sender is who he claims to be. Digitally signing a contract document proves that the signing party received and accepted the contract as-is. Requirements and features The algorithm for signature generation must guarantee that the signature is bound to the document it was generated with and only to that document. If the document is modified, the algorithm needs to produce a different signature regardless of the importance of the modification. The signature process should also date the signature with a timestamp. The signature verification process should check the signature against the related document and the signing party, and therefore control both the authenticity of the document presented and the identity of the signer. Signature algorithms rely on so-called public key cryptography. This technology involves a public key, bound to the user identity, and a private key. The signing operation consists of running an algorithm on the document (or a digest of the document) to build a signature using the private key. Signature verification involves applying reverse operation on the signature using the public key. If the operation results in the document or its digest, then the signature is verified. The basic principle is that only the private key holder can create a signature but everyone else can verify the signature using the public key. The signature can only be trusted if the user s private key is kept in a heavily secured area and never exposed, such as in a hardware token. The user s public key is also bound to the user s identity and is guaranteed by a trusted party. The same generation and verification algorithms are often used by secured authentication processes. If a user wants authentication to a service, he signs a piece of document (a challenge ) randomly issued by the service provider. The provider then verifies the signature and authenticates the user if it s correct. Again, only the holder of the private key which is typically buried in a smartcard can generate the signature and therefore successfully perform authentication.

7 Data encryption Another main challenge is data confidentiality, especially when data is transferred over the internet. As illustrated in the previous example, the hardware token is a highly secured placeholder for cryptographic keys. With the advent of portable data storage and cloud storage, user data privacy is at risk, which can be circumvented by data encryption. A hardware token can be used to encrypt/ decrypt the user s locally or remotely stored data. The challenge in this case is performance of the interface and the encryption/ decryption engine, which can significantly decrease data bandwidth. For encryption based on a hardware token, it s essential that the token can t be accessed by an attacker. Additional access protection to the token (e.g. via a PIN) is usually recommended to achieve Multi-Factor Authentication. Conclusion A good password can improve security, but today s users deal with so many online services that keeping track of a long list of different passwords is cumbersome and prone to error. Multi-factor authentication offers stronger, more convenient security than the traditional username/password method. Software tokens, such as certificates stored in a PC, can enhance authentication strength, but today s software solutions can t reach the level of tamper-resistance enabled by secure silicon technology. The smartcard has become a part of daily life. This technology, the first widely deployed enabler for multi-factor authentication, has proven its efficiency in reducing offline payment fraud and has helped drive success in GSM, 3G, and 4G cellular services by being an essential part of the security architecture. The expanded use of secured silicon technology will support the fight against identity theft and fraud, and has the potential to enable even more end-user services. Based on trusted security, a complete product portfolio and the best contactless performance, NXP is the leader in the overall ID market as well as in key market segments such as transport ticketing, egovernment, access, infrastructure, RFID/Authentication, payments, and NFC. NXP provides the entire ID market with end-to-end solutions, enabling customers to create trusted solutions for a smarter life.

8 NXP Semiconductors N.V. All rights reserved. Reproduction in whole or in part is prohibited without the prior written consent of the copyright owner. The information presented in this document does not form part of any quotation or contract, is believed to be accurate and reliable and may be changed without notice. No liability will be accepted by the publisher for any consequence of its use. Publication thereof does not convey nor imply any license under patent- or other industrial or intellectual property rights. Date of release: December 2012 Document order number: Printed in the Netherlands

PUF Physical Unclonable Functions

PUF Physical Unclonable Functions Physical Unclonable Functions Protecting next-generation Smart Card ICs with SRAM-based s The use of Smart Card ICs has become more widespread, having expanded from historical banking and telecommunication

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Improving Online Security with Strong, Personalized User Authentication

Improving Online Security with Strong, Personalized User Authentication Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

How TraitWare TM Can Secure and Simplify the Healthcare Industry

How TraitWare TM Can Secure and Simplify the Healthcare Industry How TraitWare TM Can Secure and Simplify the Healthcare Industry January 2015 Secure and Simplify Your Digital Life. Overview of HIPPA Authentication Standards When Title II of the Health Insurance Portability

More information

Strong Authentication for Secure VPN Access

Strong Authentication for Secure VPN Access Strong Authentication for Secure VPN Access Solving the Challenge of Simple and Secure Remote Access W H I T E P A P E R EXECUTIVE SUMMARY In today s competitive and efficiency-driven climate, organizations

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services Over the past decade, the demands on government agencies to share information across the federal, state and local levels

More information

Mobile multifactor security

Mobile multifactor security Mobile multifactor security A revolution in authentication and digital signing Mobile multifactor security A revolution in authentication and digital signing Smartphones will continue to ship in high volumes,

More information

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19 Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19 Andrew Sessions, Abel Sussman Biometrics Consortium Conference Agenda

More information

Guide to Evaluating Multi-Factor Authentication Solutions

Guide to Evaluating Multi-Factor Authentication Solutions Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor

More information

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER with Convenience and Personal Privacy version 0.2 Aug.18, 2007 WHITE PAPER CONTENT Introduction... 3 Identity verification and multi-factor authentication..... 4 Market adoption... 4 Making biometrics

More information

m Commerce Working Group

m Commerce Working Group m-powering Development Initiative Advisory Board second meeting Geneva, 23 rd of May 2014 m Commerce Working Group M-Commerce structure 2 Definitions Mobile Device m-commerce MFS m-marketing m-banking

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

INTRODUCTION AND HISTORY

INTRODUCTION AND HISTORY INTRODUCTION AND HISTORY EMV is actually younger than we all may think as it only became available, as a specification that could be implemented, in 1996. The evolution of EMV can be seen in the development

More information

Hardware Security Modules for Protecting Embedded Systems

Hardware Security Modules for Protecting Embedded Systems Hardware Security Modules for Protecting Embedded Systems Marko Wolf, ESCRYPT GmbH Embedded Security, Munich, Germany André Weimerskirch, ESCRYPT Inc. Embedded Security, Ann Arbor, USA 1 Introduction &

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Secure Data Exchange Solution

Secure Data Exchange Solution Secure Data Exchange Solution I. CONTENTS I. CONTENTS... 1 II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE DOCUMENT EXCHANGE SOLUTIONS... 3 INTRODUCTION... 3 Certificates

More information

Research Article. Research of network payment system based on multi-factor authentication

Research Article. Research of network payment system based on multi-factor authentication Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):437-441 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 Research of network payment system based on multi-factor

More information

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006 Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

More information

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Controller of Certification Authorities of Mauritius

Controller of Certification Authorities of Mauritius Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended)

More information

Secure communications via IdentaDefense

Secure communications via IdentaDefense Secure communications via IdentaDefense How vulnerable is sensitive data? Communication is the least secure area of digital information. The many benefits of sending information electronically in a digital

More information

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures Overview One of the most popular applications of InfoCenter Suite is to help FDA regulated companies comply with

More information

True Identity solution

True Identity solution Identify yourself securely. True Identity solution True Identity authentication and authorization for groundbreaking security across multiple applications including all online transactions Biogy Inc. Copyright

More information

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration Minnesota State Colleges and Universities System Guideline Chapter 5 Administration Appropriate Use and Implementation of Electronic Part 1. Purpose. To establish requirements and responsibilities for

More information

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Whitepaper on AuthShield Two Factor Authentication with ERP Applications Whitepaper on AuthShield Two Factor Authentication with ERP Applications By INNEFU Labs Pvt. Ltd Table of Contents 1. Overview... 3 2. Threats to account passwords... 4 2.1 Social Engineering or Password

More information

WEB SERVICES SECURITY

WEB SERVICES SECURITY WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Alternative authentication what does it really provide?

Alternative authentication what does it really provide? Alternative authentication what does it really provide? Steve Pannifer Consult Hyperion Tweed House 12 The Mount Guildford GU2 4HN UK steve.pannifer@chyp.com Abstract In recent years many new technologies

More information

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS Plurilock Security Solutions Inc. www.plurilock.com info@plurilock.com 2 H IGHLIGHTS: PluriPass is Plurilock static keystroke dynamic biometric

More information

Preventing fraud in epassports and eids

Preventing fraud in epassports and eids Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,

More information

PopimsCard. Franck GUIGAN f.guigan@popimscode.com +33 6 14 63 93 36. The magic card. February 16. 2016

PopimsCard. Franck GUIGAN f.guigan@popimscode.com +33 6 14 63 93 36. The magic card. February 16. 2016 PopimsCard The magic card February 16. 2016 Franck GUIGAN f.guigan@popimscode.com +33 6 14 63 93 36 We all need to identify other persons, but official documents are not safe: Authenticating an ID card

More information

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business Authentication Solutions Versatile And Innovative Authentication Solutions To Secure And Enable Your Business SafeNet Strong Authentication and Transaction Verification Solutions The Upward Spiral of Cybercrime

More information

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge

More information

Article. Robust Signature Capture Using SigPlus Software. Copyright Topaz Systems Inc. All rights reserved.

Article. Robust Signature Capture Using SigPlus Software. Copyright Topaz Systems Inc. All rights reserved. Article Robust Signature Capture Using SigPlus Software Copyright Topaz Systems Inc. All rights reserved. For Topaz Systems, Inc. trademarks and patents, visit www.topazsystems.com/legal. Table of Contents

More information

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Enhancing Organizational Security Through the Use of Virtual Smart Cards Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company

More information

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Audio: This overview module contains an introduction, five lessons, and a conclusion. Homeland Security Presidential Directive 12 (HSPD 12) Overview Audio: Welcome to the Homeland Security Presidential Directive 12 (HSPD 12) overview module, the first in a series of informational modules

More information

Levels of Assurance In Electronic Identity

Levels of Assurance In Electronic Identity Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University March 2009 1 About This Presentation Based on what we think we re going to have to do Discussion

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS SafeNet Strong Authentication and Transaction Verification Solutions The Upward Spiral of Cybercrime

More information

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers IDENTITY & ACCESS Providing Cost-Effective Strong Authentication in the Cloud a brief for cloud service providers Introduction Interest and use of the cloud to store enterprise resources is growing fast.

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to

More information

Ericsson Group Certificate Value Statement - 2013

Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...

More information

Network-based Access Control

Network-based Access Control Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although

More information

ADVANCE AUTHENTICATION TECHNIQUES

ADVANCE AUTHENTICATION TECHNIQUES ADVANCE AUTHENTICATION TECHNIQUES Introduction 1. Computer systems and the information they store and process are valuable resources which need to be protected. With the current trend toward networking,

More information

STRONGER AUTHENTICATION for CA SiteMinder

STRONGER AUTHENTICATION for CA SiteMinder STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive

More information

CompTIA Security+ Certification SY0-301

CompTIA Security+ Certification SY0-301 CompTIA Security+ Certification SY0-301 Centro Latino, Inc. Computer Technology Program Prof: Nestor Uribe, nuribe@centrolatino.org www.centrolatino.org 267 Broadway, Chelsea, MA 02150 Tel. (617) 884-3238

More information

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a

More information

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Beyond passwords: Protect the mobile enterprise with smarter security solutions IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive

More information

Modern two-factor authentication: Easy. Affordable. Secure.

Modern two-factor authentication: Easy. Affordable. Secure. Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Chapter 1: Introduction

Chapter 1: Introduction Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure

More information

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation.

More information

ADDING STRONGER AUTHENTICATION for VPN Access Control

ADDING STRONGER AUTHENTICATION for VPN Access Control ADDING STRONGER AUTHENTICATION for VPN Access Control Adding Stronger Authentication for VPN Access Control 1 ADDING STRONGER AUTHENTICATION for VPN Access Control A VIRTUAL PRIVATE NETWORK (VPN) allows

More information

HKUST CA. Certification Practice Statement

HKUST CA. Certification Practice Statement HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of

More information

Longmai Mobile PKI Solution

Longmai Mobile PKI Solution Longmai Mobile PKI Solution A quick Solution to External and Internal fraud in Insurance Industry Putting the client at the center of modernization Contents 1. INTRODUCTION... 3 1.1 Challenges... 3 1.2

More information

White Paper: Multi-Factor Authentication Platform

White Paper: Multi-Factor Authentication Platform White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all

More information

CoSign for 21CFR Part 11 Compliance

CoSign for 21CFR Part 11 Compliance CoSign for 21CFR Part 11 Compliance 2 Electronic Signatures at Company XYZ Company XYZ operates in a regulated environment and is subject to compliance with numerous US government regulations governed

More information

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication Page 1 of 8 Introduction As businesses and consumers grow increasingly reliant on the Internet for conducting

More information

WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords WHITE PAPER AUGUST 2014 Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords 2 WHITE PAPER: PREVENTING SECURITY BREACHES Table of Contents on t Become the Next Headline

More information

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd Stop Identity Theft with Transparent Two-Factor Authentication e-lock Corporation Sdn Bhd December 2009 Table Of Content Table Of Content... 2 Executive Summary... 3 1. Introduction... 4 1.1 The Issue

More information

Neutralus Certification Practices Statement

Neutralus Certification Practices Statement Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3

More information

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks Whitepaper W H I T E P A P E R OVERVIEW Arcot s unmatched authentication expertise and unique technology give organizations

More information

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

More information

HKUST CA. Certification Practice Statement

HKUST CA. Certification Practice Statement HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 1.1 Date : 3 March 2000 Prepared by : Information Technology Services Center Hong Kong University of Science

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 1 CHAPTER 1 INTRODUCTION 1.1 Introduction Letter is a written message from a person to another person in other meaning for communication between two people in another location. In an organization, letter

More information

INTEGRATION GUIDE MS OUTLOOK 2003 VERSION 2.0

INTEGRATION GUIDE MS OUTLOOK 2003 VERSION 2.0 INTEGRATION GUIDE MS OUTLOOK 2003 VERSION 2.0 Document Code: ST_UT_MB_MSO_2.0_18042012 The data and information contained in this document cannot be altered without the express written permission of SecuTech

More information

Guideline on Access Control

Guideline on Access Control CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0

More information

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS Karen Scarfone, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Many people

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

Target Security Breach

Target Security Breach Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected

More information

A brief on Two-Factor Authentication

A brief on Two-Factor Authentication Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.

More information

User Authentication Guidance for IT Systems

User Authentication Guidance for IT Systems Information Technology Security Guideline User Authentication Guidance for IT Systems ITSG-31 March 2009 March 2009 This page intentionally left blank March 2009 Foreword The User Authentication Guidance

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information

Entrust IdentityGuard

Entrust IdentityGuard +1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's

More information

Biometric Authentication Platform for a Safe, Secure, and Convenient Society

Biometric Authentication Platform for a Safe, Secure, and Convenient Society 472 Hitachi Review Vol. 64 (2015), No. 8 Featured Articles Platform for a Safe, Secure, and Convenient Society Public s Infrastructure Yosuke Kaga Yusuke Matsuda Kenta Takahashi, Ph.D. Akio Nagasaka, Ph.D.

More information

LET S ENCRYPT SUBSCRIBER AGREEMENT

LET S ENCRYPT SUBSCRIBER AGREEMENT Page 1 of 7 LET S ENCRYPT SUBSCRIBER AGREEMENT This Subscriber Agreement ( Agreement ) is a legally binding contract between you and, if applicable, the company, organization or other entity on behalf

More information

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4

More information

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or SBA Procedural Notice TO: All SBA Employees CONTROL NO.: 5000-1323 SUBJECT: Acceptance of Electronic Signatures in the 7(a) and 504 Loan Program EFFECTIVE: 10/21/14 The purpose of this Notice is to inform

More information

Advanced Authentication

Advanced Authentication White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

More information

Business Issues in the implementation of Digital signatures

Business Issues in the implementation of Digital signatures Business Issues in the implementation of Digital signatures Much has been said about e-commerce, the growth of e-business and its advantages. The statistics are overwhelming and the advantages are so enormous

More information

Securing your Online Data Transfer with SSL

Securing your Online Data Transfer with SSL Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does

More information

Remote Access Securing Your Employees Out of the Office

Remote Access Securing Your Employees Out of the Office Remote Access Securing Your Employees Out of the Office HSTE-NB0011-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com Introduction

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance

Mobile Security Checklist. An Easy, Achievable Plan for Security and Compliance Mobile Security Checklist An Easy, Achievable Plan for Security and Compliance Introduction Are mobile devices the weak link in your security defenses? Today, organizations are pouring millions of dollars

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec 2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec TECHNOLOGY WHITEPAPER DSWISS LTD INIT INSTITUTE OF APPLIED INFORMATION TECHNOLOGY JUNE 2010 V1.0 1 Motivation With the increasing

More information

Opinion and recommendations on challenges raised by biometric developments

Opinion and recommendations on challenges raised by biometric developments Opinion and recommendations on challenges raised by biometric developments Position paper for the Science and Technology Committee (House of Commons) Participation to the inquiry on Current and future

More information

Multi-Factor Authentication

Multi-Factor Authentication Enhancing network security through the authentication process Multi-Factor Authentication Passwords, Smart Cards, and Biometrics INTRODUCTION Corporations today are investing more time and resources on

More information

Brainloop Cloud Security

Brainloop Cloud Security Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating

More information

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their

More information

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.

More information

ARCHIVED PUBLICATION

ARCHIVED PUBLICATION ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-63 Version 1.0.2 (dated April 2006), has been superseded and is provided here only for historical purposes. For the most current

More information

More effective protection for your access control system with end-to-end security

More effective protection for your access control system with end-to-end security More effective protection for your access control system with end-to-end security By Jeroen Harmsen The first article on end-to-end security appeared as long ago as 1981. The principle originated in ICT

More information

Ford Motor Company CA Certification Practice Statement

Ford Motor Company CA Certification Practice Statement Certification Practice Statement Date: February 21, 2008 Version: 1.0.1 Table of Contents Document History... 1 Acknowledgments... 1 1. Introduction... 2 1.1 Overview... 3 1.2 Ford Motor Company Certificate

More information

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION A SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PAIRED WITH THE FACT THAT THREATS

More information

Understanding and Integrating KODAK Picture Authentication Cameras

Understanding and Integrating KODAK Picture Authentication Cameras Understanding and Integrating KODAK Picture Authentication Cameras Introduction Anyone familiar with imaging software such as ADOBE PHOTOSHOP can appreciate how easy it is manipulate digital still images.

More information