Understanding the Role of Smart Cards for Strong Authentication in Network Systems. Bryan Ichikawa Deloitte Advisory
|
|
- Corey Webb
- 8 years ago
- Views:
Transcription
1 Understanding the Role of Smart Cards for Strong Authentication in Network Systems Bryan Ichikawa Deloitte Advisory
2 Overview This session will discuss the state of authentication today, identify some of the main vulnerabilities that exist, and introduce options to consider for strengthening authentication. This session will also look at technologies that support multi-factor authentication, talk about FIDO and how this specification brings a change to the world of online authentication, and discuss how smart card technology can be highly effective and how it is already being used in many places today. 2
3 Agenda What is authentication? Vulnerabilities Strengthening authentication Identifiers vs. authentication Multi-factor authentication FIDO Smart cards as authenticators Authentication futures 3
4 Authentication What is it? In information technology, logical access controls are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems. Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. I want to define and differentiate between plain old logical access and electronic authentication. Logical access is simply logging into a network, system, or application. E-authentication is YOU logging into a network, system, or application. In the physical access world, most systems allow the card to gain access, and allows whatever carbon life form attached to that card to tag along. The question is, how do you establish confidence that the carbon life form attached to that access request is the one you think it is? 4
5 Vulnerabilities the business drivers More and more transactions in our business and personal lives are being conducted online The connected universe is a target rich environment for bad actors It is the collective responsibility of organizations and individuals alike to protect personal and sensitive data Userid/passwords as the primary authentication mechanism is not sufficient Many of today s identifiers provide little or no identity assurance Criminal sophistication is increasing at an exponential rate (it is amazing what the devious mind can conjure) A first line of defense is to elevate the security for how we gain access to online resources 5
6 How does logical access control work? Initial registration / application (Optional) Identity proofing Establish an identity that the online system can uniquely recognize (e.g., userid) Establish a secret that only both parties know (e.g., password) Off you go. but How do you know you are logging into the right place? How do they know it is you? How do you prevent someone else from hijacking your account?..??? 6
7 Identifiers vs. authentication Identifiers by themselves simply identify an entity of sorts There is no identity assurance necessarily associated here Authentication is measurable assurance is the measuring stick A level of assurance can be established commensurate with the sensitivity of the information or transaction conducted 7
8 Tokens What are they? In plain English, a token is a secret that comes in a variety of formats. The format of the token has a direct relationship to its strength. For example, a simple password is a very weak token, one that could be easily cracked. A cryptographically protected smart card, on the other hand, is a very strong token. The following slides describe the different types of tokens From NIST Special Publication * Token - Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant s identity. 8 *
9 What are tokens? Tokens contain secrets: Shared secrets Public key cryptography The classic paradigm for authentication identifies three factors as the fundamentals for authentication: Something you know Something you have Something you are But not all factors are secrets. For example: KBA (something you know) Biometrics (something you are) Therefore, not all factors can be considered tokens 9
10 Factors Use of a single factor is referred to as single factor authentication Combining more than one factor is referred to as multifactor authentication But Combining multiple single factors (same factor types) is multiple single factor, NOT multi-factor 10
11 Something you know Typically these are User ID / Password combinations Sometimes only User IDs Sometimes only PIN/Password Finger patterns (drawing a Z on screen) 11
12 Something you have Hardware Token Device Phone (smart or not) PKI Certificates Smart Cards Grid Cards 12
13 OTP One Time Pad (Historic) OTP From One Time Pad, a cryptographic ciphering technique using pads of paper where the top sheet of keying material was torn off after using it one time Today, OTP refers to One Time Password One Time Pad Example 13
14 OTP One Time Password (today) Typically hardware (e.g., RSA SecurID or cards) Token (number) generated on smart phones Token can be delivered via SMS, , phone message (IVR) 14
15 OTP protocol as 2nd factor User login with User ID / Password (1st factor) System asks for OTP token User queries device* and gets token User enters token into system (2nd factor) System allows access * OTP tokens can be delivered in many ways, including SMS text, s, voice messages, computer-based applications, smartphone applications, and hardware devices. OTP tokens are also called verification codes, security codes, passwords, login codes, multi-factor authentication secrets, etc. 15
16 Something you are Biometrics: Fingerprint Face Voice Iris Other biometrics modalities are out there, but the above four are the predominant types in use today 16
17 Token types Memorized Secret Token (Password) Pre-registered Knowledge Token (Favorite Color) Look-up Secret Token (Grid Card) Out of Band Token (SMS OTP) Single Factor One-time Password Device (OTP Device) Single Factor Cryptographic Device (Transport Layer Security Hardware) Multi-factor Software Cryptographic Token (Soft Cert) Multi-factor One-time Password Device (Multi-factor OTP) Multi-factor Cryptographic Device (Smart Card) 17
18 Token types Memorized Secret Token: A secret shared between the Subscriber and the CSP. Memorized Secret Tokens are typically character strings (e.g., passwords and passphrases) or numerical strings (e.g., PINs.) Memorized secret tokens are something you know. Pre-registered Knowledge Token: A series of responses to a set of prompts or challenges. These responses may be thought of as a set of shared secrets. The set of prompts and responses are established by the Subscriber and CSP during the registration process. Pre-registered Knowledge Tokens are something you know. Look-up Secret Token: A physical or electronic token that stores a set of secrets shared between the claimant and the CSP. The claimant uses the token to look up the appropriate secret(s) needed to respond to a prompt from the verifier (the token input). For example, a specific subset of the numeric or character strings printed on a card in table format. Look-up secret tokens are something you have. 18
19 Token types Out of Band Token: A physical token that is uniquely addressable and can receive a verifierselected secret for one-time use. The device is possessed and controlled by the claimant and supports private communication over a channel that is separate from the primary channel for e-authentication. Out of Band Tokens are something you have. Single Factor One-time Password Device: A hardware device that supports the spontaneous generation of onetime passwords. This device has an embedded secret that is used as the seed for generation of one-time passwords and does not require activation through a second factor. Single Factor OTP devices are something you have. Single Factor Cryptographic Device: A hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication. This device uses embedded symmetric or asymmetric cryptographic keys. Single Factor Cryptographic Devices are something you have. 19
20 20 Token types Multi-factor Software Cryptographic Token: A cryptographic key is stored on disk or some other soft media and requires activation through a second factor of authentication. The token authenticator is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multifactor software cryptographic token is something you have (plus something you know/are). Multi-factor One-time Password Device: A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication. The second factor of authentication may be achieved through some kind of integral entry pad, biometric reader or a direct computer interface (e.g., USB port). The multi-factor OTP device is something you have (plus something you know/are). Multi-factor Cryptographic Device: A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. The multifactor Cryptographic device is something you have (plus something you know/are).
21 Other authentication methods OOBA Out Of Band Authentication: The use of two separate networks to perform authentication Can be OTP, smartphone app that confirms query, biometrics, but typical OOBA apps do not cross over attributes or artifacts* Step-up Authentication: System asks for an additional factor when a security threshold has been crossed * OOBA Typically, a user tries to login on a computer and the OOBA app on the smart phone asks the user if the login attempt is authorized. The user says yes, and the login takes place on the computer. The authentication protocol on the phone does not interact with the computer login attempt. 21
22 Credentials and Credential Service Providers (CSP) Credentials are tokens that are bound to an identity Identity proofing becomes an integral element of credential issuance Credentials are issued and maintained by Credential Service Providers (CSP) Credentials are associated with a Level of Assurance (LOA); therefore all credentials are not created equal! 22
23 Relying parties Relying parties are those organizations that consume credentials. Some relying parties issue their own credentials, others simply trust credentials issue by other CSPs. If a relying party wants to trust a credential issued by a CSP other than themselves, how do they know how trustworthy that credential is? 23
24 Registration and assurance Identity Proofing proving you are who you claim to be In-person Proofing: Present one or two forms of government issued id Usually has a picture on it, plus relevant personal information (DOB, address, etc.) Perform address or telephone verification Remote Proofing: Submit valid government ID Submit financial or utility account numbers Identity proofing is the activity that binds an identity to a token to create a credential. There are 4 defined levels of assurance. 24
25 NIST SP NIST Special Publication : Electronic Authentication Guideline Released August supplements OMB guidance, E-Authentication Guidance for Federal Agencies [OMB M-04-04*]: Specifically, provides guidelines for implementing step 3 of e- authentication process (next slide) provides technical guidelines to agencies to allow an individual to remotely authenticate their identity to a Federal IT system. These guidelines address traditional methods for remote authentication based on secrets. 25 *
26 OMB M OMB M-04-04: Defines 4 levels of assurance (Levels 1 to 4) Outlines 5-step process: Conduct a risk assessment of the government system Map identified risks to the appropriate assurance level Select technology based on e-authentication technical guidance Validate that the implemented system has met the required assurance level Periodically reassess the information system to determine technology refresh requirements 26
27 Authentication levels Level 1 Level 2 Level 3 Level 4 Little or no confidence in the asserted identity Some confidence in asserted identity High confidence in the asserted identity Very high confidence in the asserted identity Self-assertion Minimum records Online, instant qualification Out-of-band follow-up Remote proofing Online with outof-band verification or qualification Cryptographic solution In-person proofing Recording of a biometric Cryptographic solution Hardware token OMB M04-04 Levels of Assurance 27
28 FIDO Alliance* Fast IDentity Online An alliance whose mission is to change the nature of online identification. UAF and U2F UAF = Universal Authentication Framework (password-less experience) U2F = Universal Second Factor (two factor experience) 28 *
29 FIDO Alliance Board level Alibaba Group ARM Bank of America CrucialTec Discover Egis Technology Google IdentityX ING Intel Lenovo MasterCard Microsoft Nok Nok Labs NTT DOCOMO NXP Oberthur Technologies PayPal Qualcomm RSA Samsung Synaptics USAA Visa Inc. Yubico 29
30 30 FIDO Alliance Sponsor level Aetna Ally Authasas Authentify BKM Blackberry CA Technologies UK Cabinet Office Certivox Chase Cherry Costco Crossmatch Cypress DDS Dell Duo E-Trade Early Warning Entersekt ETRI eyelock FacialNetwork Feitian FingerQ Forgerock Gemalto G&D Goldman Sachs Goodix Happlink Hoyos Labs IDEX Infineon Infoguard Intercede Intuit ISR KICA LG Electronics MedImpact Safran Netflix NXTID Netflix NIST NXTID nymi OSD Ping Identity Plantronics Rambus Redsys Samsung SDS SecureKey SecureAuth SK Telecom Sonavation ST Tendyron Usher Vanguard Vasco Visa Watchdata Wells Fargo WoSign Yahoo! Japan
31 FIDO Alliance Associate level 126 Additional organizations (as of 9/17/2015) Specification 1.0 is final and available for UAF and U2F 31
32 Authentication business drivers The business drivers among various industry sectors are very different Public sector and critical infrastructure are driven by policy and standards: FIPS 201 Commercial industry is driven by profitability: And slowly by security The general public is driven by convenience and reward: And slowly by increasing concern Everyone is slowly being driven by education 32
33 Other industries Banking, Payment and Investments Many financial businesses now offer multi-factor authentication as an additional security measure Most leading providers support stronger authentication Gaming The gaming industry is becoming a leader in end-user security Visit for a comprehensive list of organizations that support stronger levels of authentication 33
34 Smart cards playing a role for strong authentication Mobility: Today s smart phones contain a smart card FIDO: U2F devices are smart card-based Financial: EMV cards are smart cards Transit: Transit cards are moving to smart card technology
35 Authentication futures The US federal government has defined standards and specifications for electronic authentication There is no consistency or standardization outside of the federal government Commercial and consumer requirements are much different Separation of token and identity assurance is a notion that is not defined by federal standards (this is where FIDO fits) But passwords alone are being recognized as insufficient for the future of online authentication Smart card technology already exists in many places use it! As more and more transactions are conducted online, federal and even state governments can require the binding of identities to tokens, but many commercial and consumer enterprises, for the most part, do not require strong identity proofing 35
36 Bryan Ichikawa Deloitte Advisory
37 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Authentication Tokens
State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Authentication Tokens No: NYS-S14-006 Updated: 05/15/2015 Issued By: NYS ITS
More informationBriefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.
Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the
More informationRich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association
Navigating the Identity Landscape Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association SAFE-BioPharma Association Overview An overview of US and EU government
More informationIs Consumer-Oriented Strong Authentication Finally Here to Stay? Arshad Noor, CTO, StrongAuth, Inc. Professional Strategies S22
Is Consumer-Oriented Strong Authentication Finally Here to Stay? Arshad Noor, CTO, StrongAuth, Inc. Professional Strategies S22 Historical Perspective Password-based authentication invented at least 4-5
More informationAudio: This overview module contains an introduction, five lessons, and a conclusion.
Homeland Security Presidential Directive 12 (HSPD 12) Overview Audio: Welcome to the Homeland Security Presidential Directive 12 (HSPD 12) overview module, the first in a series of informational modules
More informationModern Multi-factor and Remote Access Technologies
Modern Multi-factor and Remote Access Technologies ANDREW BRICKEY Senior IT Engineer Identity and Access Management / Core Computing Services NLIT Summit 2016 May 11, 2016 1 Agenda Problem and solution
More informationStrong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment
Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment IIIIII Best Practices www.gemalto.com IIIIII Table of Contents Strong Authentication and Cybercrime... 1
More informationAUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes
AUTHENTIFIERS Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes Authentify delivers intuitive and consistent authentication technology for use with smartphones,
More informationDevice-Centric Authentication and WebCrypto
Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the
More informationIDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers
IDENTITY & ACCESS Providing Cost-Effective Strong Authentication in the Cloud a brief for cloud service providers Introduction Interest and use of the cloud to store enterprise resources is growing fast.
More informationARCHIVED PUBLICATION
ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-63 Version 1.0.2 (dated April 2006), has been superseded and is provided here only for historical purposes. For the most current
More informationHow Secure is Authentication?
FIDO UAF Tutorial How Secure is Authentication? How Secure is Authentication? How Secure is Authentication? Cloud Authentication Password Issues Password might be entered into untrusted App / Web-site
More informationA Method of Risk Assessment for Multi-Factor Authentication
Journal of Information Processing Systems, Vol.7, No.1, March 2011 DOI : 10.3745/JIPS.2011.7.1.187 A Method of Risk Assessment for Multi-Factor Authentication Jae-Jung Kim* and Seng-Phil Hong** Abstract
More informationSECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT
SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT Dmitry Barinov SecureKey Technologies Inc. Session ID: MBS-W09 Session Classification: Advanced Session goals Appreciate the superior
More informationWho s There? A Methodology for Selecting Authentication Credentials. VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu
Who s There? A Methodology for Selecting Authentication Credentials VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu Who s There? Driving by your house Do you care? Probably not -- anyone can look 2 Who
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationMobile OTPK Technology for Online Digital Signatures. Dec 15, 2015
Mobile OTPK Technology for Online Digital Signatures Dec 15, 2015 Presentation Agenda The presentation will cover Background Traditional PKI What are the issued faced? Alternative technology Introduction
More informationUser Authentication Guidance for IT Systems
Information Technology Security Guideline User Authentication Guidance for IT Systems ITSG-31 March 2009 March 2009 This page intentionally left blank March 2009 Foreword The User Authentication Guidance
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationEntrust IdentityGuard
+1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's
More informationMulti-Factor Authentication of Online Transactions
Multi-Factor Authentication of Online Transactions Shelli Wobken-Plagge May 7, 2009 Agenda How are economic and fraud trends evolving? What tools are available to secure online transactions? What are best
More informationNIST E-Authentication Guidance SP 800-63 and Biometrics
NIST E-Authentication Guidance SP 800-63 and Biometrics September 21, 2004 Bill Burr william.burr@nist.gov OMB M-0404 Guidance on E-Auth Part of E-Government initiative put services online About identity
More informationUAF Architectural Overview
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 UAF Architectural Overview Specification Set: fido-uaf-v1.0-rd-20140209 REVIEW DRAFT Editors: Rob Philpott, RSA, the Security Division of EMC Sampath
More informationEconomic and Social Council
UNITED NATIONS E Economic and Social Council Distr. GENERAL ECE/TRANS/WP.30/AC.2/2008/2 21 November 2007 Original: ENGLISH ECONOMIC COMMISSION FOR EUROPE Administrative Committee for the TIR Convention,
More informationNC CJIN Governing Board. 13 October, 2011. George A. White
Advanced Authentication NC CJIN Governing Board 13 October, 2011 George A. White FBI CJIS ISO Brief Policy History Two year development Fully vetted by all state representation Criminal and civil Requirements
More informationHow Secure is Authentication?
U2F & UAF Tutorial How Secure is Authentication? 2014 1.2bn? 2013 397m Dec. 2013 145m Oct. 2013 130m May 2013 22m April 2013 50m March 2013 50m Cloud Authentication Password Issues Password might be entered
More informationResearch Article. Research of network payment system based on multi-factor authentication
Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):437-441 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 Research of network payment system based on multi-factor
More informationDigital identity: Toward more convenient, more secure online authentication
Digital identity: Toward more convenient, more secure online authentication For more than four decades, the familiar username/password method has been the basis for authentication when accessing computer-based
More informationWhite Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS
White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services Over the past decade, the demands on government agencies to share information across the federal, state and local levels
More informationTrust Elevation Using Risk-Based Multifactor Authentication. Cathy Tilton
Trust Elevation Using Risk-Based Multifactor Authentication Cathy Tilton 1 Caveat Intent is to present an approach for risk-based multifactor authentication and how it might be used in a trustelevation
More informationA unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or
SBA Procedural Notice TO: All SBA Employees CONTROL NO.: 5000-1323 SUBJECT: Acceptance of Electronic Signatures in the 7(a) and 504 Loan Program EFFECTIVE: 10/21/14 The purpose of this Notice is to inform
More informationCA ArcotOTP Versatile Authentication Solution for Mobile Phones
PRODUCT SHEET CA ArcotOTP CA ArcotOTP Versatile Authentication Solution for Mobile Phones Overview Consumers have embraced their mobile phones as more than just calling or texting devices. They are demanding
More informationDepartment of Veterans Affairs Two-Factor Authentication MobilePASS Quick Start Guide November 18, 2015
Department of Veterans Affairs Two-Factor Authentication Quick Start Guide November 18, 2015 Introduction: This guide provides instructions for installation of the soft token on your non-piv enabled or
More informationesign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?
esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents
More informationWhat s it all about? SAFE-BioPharma Association
What s it all about? SAFE-BioPharma Association Topics! ONC HIT Standards Committee! ASTM Standards 2 SAFE-BioPharma Association ONC HIT Standards Committee! Oct 21 st meeting Security & Privacy Consumer
More informationStrong Authentication Using Smart Card Technology for Logical Access
Strong Authentication Using Smart Card Technology for Logical Access A Smart Card Alliance Access Control Council White Paper Publication Date: November 2012 Publication Number: ACC - 12002 Smart Card
More informationXYPRO Technology Brief: Stronger User Security with Device-centric Authentication
Ken Scudder Senior Director Business Development & Strategic Alliances XYPRO Technology Talbot A. Harty CEO DeviceAuthority XYPRO Technology Brief: Stronger User Security with Device-centric Authentication
More informationFacebook s Security Philosophy, and how Duo helps.
Facebook s Security Philosophy, and how Duo helps. How Duo Factors in to Facebook s Information Security Philosophy The Challenge: Facebook manages personal data for 1.19 billion active users 1 across
More informationMOBILE VOICE BIOMETRICS MEETING THE NEEDS FOR CONVENIENT USER AUTHENTICATION. A Goode Intelligence white paper sponsored by AGNITiO
MOBILE VOICE BIOMETRICS MEETING THE NEEDS FOR CONVENIENT USER AUTHENTICATION A Goode Intelligence white paper sponsored by AGNITiO First Edition September 2014 Goode Intelligence All Rights Reserved Sponsored
More informationScalable Authentication
Scalable Authentication Rolf Lindemann Nok Nok Labs, Inc. Session ID: ARCH R07 Session Classification: Intermediate IT Has Scaled Technological capabilities: (1971 2013) Clock speed x4700 #transistors
More informationesign Online Digital Signature Service
esign Online Digital Signature Service Government of India Ministry of Communications and Information Technology Department of Electronics and Information Technology Controller of Certifying Authorities
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More informationDepartment of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT
Department of Veterans Affairs VA DIRECTIVE 6510 Washington, DC 20420 Transmittal Sheet VA IDENTITY AND ACCESS MANAGEMENT 1. REASON FOR ISSUE: This Directive defines the policy and responsibilities to
More informationMulti-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access
Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access CONTENTS What is Authentication? Implementing Multi-Factor Authentication Token and Smart Card Technologies
More informationMultifactor authentication systems Jiří Sobotka, Radek Doležel
Multifactor authentication systems Jiří Sobotka, Radek Doležel Fakulta elektrotechniky a komunikačních technologií VUT v Brně Email: sobotkaj@feec.vutbr.cz Fakulta elektrotechniky a komunikačních technologií
More informationOctober 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services
October 2014 Issue No: 2.0 Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services
More informationCopyright 2013-2016 FIDO Alliance All Rights Reserved.
Response to the European Banking Authority (EBA) Discussion Paper on Future Draft Regulatory Technical Standards on Strong Customer Authentication and Secure Communication Under the Revised Payment Services
More informationRF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards
RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:
More informationAuthentication, Authorization, and Audit Design Pattern: External User Authentication
Authentication, Authorization, and Audit Design Pattern: External User Authentication Office of Technology Strategies (TS) Architecture, Strategy, and Design (ASD) Office of Information and Technology
More informationMobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard
Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation.
More informationFinger Vein digital biometric signature: use cases
Finger Vein digital biometric signature: use cases Arkadiusz Buroń Presales & Account Director Information Systems Group Serock, 2015-09-23 Agenda 1. Introduction to Finger Vein technology 2. Digital biometric
More informationFIDO Modern Authentication Rolf Lindemann, Nok Nok Labs
Rolf Lindemann, Nok Nok Labs cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 Authentication in Context Single Sign-On Modern Authentication Federation
More informationImproving Online Security with Strong, Personalized User Authentication
Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware
More informationFrench Justice Portal. Authentication methods and technologies. Page n 1
French Justice Portal Authentication methods and technologies n 1 Agenda Definitions Authentication methods Risks and threats Comparison Summary Conclusion Appendixes n 2 Identification and authentication
More informationHello, It's Me: Mobile Options for End-User Authentication
Hello, It's Me: Mobile Options for End-User Authentication As enterprises re-evaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords,
More informationView from a European Trust Service Provider Server Signing: Return of experience and certification strategy
View from a European Trust Service Provider Server Signing: Return of experience and certification strategy January 16, 2014 - Berlin Thibault de Valroger VP Strategy & Development OPENTRUST Thibault.devalroger@opentrust.com
More informationAdding Stronger Authentication to your Portal and Cloud Apps
SOLUTION BRIEF Cyphercor Inc. Adding Stronger Authentication to your Portal and Cloud Apps Using the logintc April 2012 Adding Stronger Authentication to Portals Corporate and consumer portals, as well
More informationIdentity, Credential, and Access Management. Open Solutions for Open Government
Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management www.idmanagement.gov Open Solutions for Open Government Judith Spencer Co-Chair, ICAM
More informationExecutive Summary P 1. ActivIdentity
WHITE PAPER WP Converging Access of IT and Building Resources P 1 Executive Summary To get business done, users must have quick, simple access to the resources they need, when they need them, whether they
More informationWHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES
WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES Executive Overview U.S. Federal mandates dictates that personal with defense related initiatives must prove access
More informationThe DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions
The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a
More informationModern two-factor authentication: Easy. Affordable. Secure.
Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks
More informationChapter 1: Introduction
Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure
More informationThese Frequently Asked Questions include information about both the Remote Identity Proofing (RIDP) and
Questions and Answers about Remote Identity Proofing and Multi- Factor Authentication About the Frequently Asked Questions These Frequently Asked Questions include information about both the Remote Identity
More informationVASCO: Compliant Digital Identity Protection for Healthcare
VASCO: Compliant Digital Identity Protection for Healthcare Compliant Digital Identity Protection for Healthcare The proliferation of digital patient information and a surge in government regulations are
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationIDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape
IDENTITY & ACCESS BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape Introduction How does your enterprise view the BYOD (Bring Your Own Device) trend opportunity
More informationMulti-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management
Multi-Factor Authentication for your Analytics Implementation Siamak Ziraknejad VP, Product Management 1 Agenda What is Multi-Factor Authentication & Why is it important The Usher Security Badge Badge
More informationCHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device
CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge
More informationDigital Identity Management
Digital Identity Management Techniques and Policies E. Bertino CS Department and ECE School CERIAS Purdue University bertino@cs.purdue.edu Digital Identity Management What is DI? Digital identity (DI)
More informationOut-Of-Band Authentication Using a Real-time, Multi-factor Service Model
Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model Andrew Rolfe Authentify, Inc. Andy.Rolfe@Authentify.com Presentation Overview Authentication basics What is OOBA? Why is it important?
More informationEnable and Turn on MicroStrategy 9s for Existing Projects. Mox Weber, Suhrud Atre, and Rakesh Arora
Enable and Turn on MicroStrategy 9s for Existing Projects Mox Weber, Suhrud Atre, and Rakesh Arora MicroStrategy World Tracks This Session is Part of MicroStrategy World Track 06: Enterprise BI I Forward-Looking
More informationUpdate on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing?
Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing? Ann West, Michigan Technology University Jackie Charonis, Stanford University Nancy Krogh, University of
More informationMODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION
Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION A SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PAIRED WITH THE FACT THAT THREATS
More informationDerived credentials. NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials
Daon your trusted Identity Partner Derived Credentials A Use Case Cathy Tilton Daon 1 February 2012 Derived credentials NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials Derived credential
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationFIDO Trust Requirements
FIDO Trust Requirements Ijlal Loutfi, Audun Jøsang University of Oslo Mathematics and Natural Sciences Faculty NordSec 2015,Stockholm, Sweden October, 20 th 2015 Working assumption: End Users Platforms
More informationCRYPTOGRAPHY AS A SERVICE
CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,
More informationOne-Time Password Contingency Access Process
Multi-Factor Authentication: One-Time Password Contingency Access Process Presenter: John Kotolski HRS Security Officer Topics Contingency Access Scenarios Requesting a Temporary One-Time Password Reporting
More informationSTRONGER AUTHENTICATION for CA SiteMinder
STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive
More informationA Security Survey of Strong Authentication Technologies
A Security Survey of Strong Authentication Technologies WHITEPAPER Contents Introduction... 1 Authentication Methods... 2 Classes of Attacks on Authentication Mechanisms... 5 Security Analysis of Authentication
More informationBusiness Online Banking Quick Users Guide
Business Online Banking Quick Users Guide Business Online Banking Quick Users Guide Table of Contents Overview 2 First Time Login 2 Security 4 Contact Points 4 Registering your Browser / Computer 5 Adding,
More informationBiometric SSO Authentication Using Java Enterprise System
Biometric SSO Authentication Using Java Enterprise System Edward Clay Security Architect edward.clay@sun.com & Ramesh Nagappan CISSP Java Technology Architect ramesh.nagappan@sun.com Agenda Part 1 : Identity
More informationFINAL Version 1.1 April 13, 2011
Office of the Chief Information Security Officer Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland 21244-1850 Risk Management Handbook Volume III Standard 3.1 FINAL Version
More informationSecurity Levels for Web Authentication using Mobile Phones
Security Levels for Web Authentication using Mobile Phones Anna Vapen and Nahid Shahmehri Department of computer and information science Linköpings universitet, SE-58183 Linköping, Sweden {annva,nahsh}@ida.liu.se
More informationNetIQ Advanced Authentication Framework
NetIQ Advanced Authentication Framework Security Officer Guide Version 5.2.0 1 Table of Contents 1 Table of Contents 2 Introduction 3 About This Document 3 Authenticators Management 4 Card 8 Email OTP
More informationManaged Portable Security Devices
Managed Portable Security Devices www.mxisecurity.com MXI Security leads the way in providing superior managed portable security solutions designed to meet the highest security and privacy standards of
More informationElectronic Authentication Guideline. -- OR -- http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63-2.pdf
The attached Special Publication 800-63-1 document (provided here for historical purposes) has been superseded by the following publication: Publication Number: Special Publication 800-63-2 Title: Publication
More informationSmart Cards, Biometrics and Tokens for VLANs and Subnet Access
Smart Cards, Biometrics and Tokens for VLANs and Subnet Access Jeff Hayes Director, Security Programs Alcatel e-business Networking Division Agenda LAN Access Issues and Requirements
More informationCan We Reconstruct How Identity is Managed on the Internet?
Can We Reconstruct How Identity is Managed on the Internet? Merritt Maxim February 29, 2012 Session ID: STAR 202 Session Classification: Intermediate Session abstract Session Learning Objectives: Understand
More informationMoving to Multi-factor Authentication. Kevin Unthank
Moving to Multi-factor Authentication Kevin Unthank What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that
More informationStandards for Identity & Authentication. Catherine J. Tilton 17 September 2014
Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent
More informationSoftware Token Security & Provisioning: Innovation Galore!
Software Token Security & Provisioning: Innovation Galore! Kenn Min Chong, Principal Product Manager SecurID, RSA Emily Ryan, Security Solution Architect, Intel Michael Lyman, Product Marketing Manager,
More informationGlossary of Key Terms
and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which
More informationGOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.
PERSONAL IDENTITY VERIFICATION (PIV) OVERVIEW INTRODUCTION (1) Welcome to the Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) Overview module, designed to familiarize
More informationWHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS
WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user
More informationRSA SecurID Software Token 1.0 for Android Administrator s Guide
RSA SecurID Software Token 1.0 for Android Administrator s Guide Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA,
More informationPublic Key Infrastructure Defence Public Key Infrastructure Levels of Assurance Requirements Certificate Policy Object Identifiers (OIDs)
Public Key Infrastructure Defence Public Key Infrastructure Levels of Assurance Requirements Certificate Policy Object Identifiers (OIDs) Version 1.0 November 2014 Owner Defence PKI Policy Board c/ APW-G-125
More informationGuide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation
Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication Mobile App Activation Before you can activate the mobile app you must download it. You can have up to
More information