Technical User Group Agenda

Size: px

Start display at page:

Download "Technical User Group Agenda"

Jason Wilkerson
8 years ago
Views:

1 Technical User Group Agenda December 16, 2014 Web Conference Information URL: Meeting Number: Access Code: :00 a.m. 10:30 a.m. (Pacific Time) Conference Call Information Domestic Call In: (866) International Call In: (216) Pass Code: Time Topic Facilitator 10:00 10:05 Agenda & ISO Roll call Douglas Walker 10:05 10:25 Multifactor Authentication Thomas Williams 10:25 10:30 Open Discussion and Call for Future Topics Douglas Walker 10:30 Adjourn Douglas Walker

(866) 528-2256 International Call In: (216) 706-7052 Pass Code: 5251941 Time Topic Facilitator 10:00 10:05 Agenda & ISO Roll call

2 Multifactor Authentication December 16, 2014

3 Introduction Today s topic is ensuring secure authentication to ISO applications. This discussion is specific to UI (browser-based) applications; B2B processes are not in scope. Today ISO customers use digital certificates to authenticate to ISO UI applications such as SIBR. A financial market such as the ISO s energy market involves many sensitive transactions. The integrity of market transactions needs to be assured in order to maintain trust in the market. Without trust, the market would not be able to execute fairly and impartially. Page 3

Today ISO customers use digital certificates to authenticate to ISO UI applications such as SIBR.

4 Customer Trust Customer trust is a top ISO priority. The ISO has a responsibility to provide enhanced customer identity protection in order to maintain high levels of trust in market functions. This trust directly supports grid reliability. Any lack of certainty in identifying the source or assuring the integrity of market transactions could erode this trust. Page 4

maintain high levels of trust in market functions.

5 Identity Protection Protection of digital identities forms a trust framework that supports market reliability and cost efficiency. The ISO can help with technology such as multifactor authentication, which supports identity protection by increasing assurance levels in securely connecting ISO customers to market applications. Page 5

The ISO can help with technology such as multifactor authentication, which supports

6 Multifactor Authentication Multifactor authentication uses more than one identity claim or factor. One factor: This is who I claim to be. A second factor: Here is additional information to remove any reasonable doubt about my claim. There are three general types of authentication factors: Something you know (such as a password); Something you have (such as a digital certificate); Something you are (such as a fingerprint). Use of two of the three authentication factors greatly increases identity assurance. Page 6

A second factor: Here is additional information to remove any reasonable doubt about my claim.

7 A Second Authentication Factor A digital certificate represents one of the three authentication factors; this is something you have. A knowledge factor, or something you know, is the logical and cost-effective choice for a second authentication factor to protect digital identities. Types of knowledge factors include: Passwords (including one-time passwords) PINs (including CVCs) Secret questions Page 7

A knowledge factor, or something you know, is the logical and cost-effective choice for a second

8 Rationale for Multifactor Authentication NIST We have discussed how authentication and identity support market trust and impartiality. NIST Special Publication , an Electronic Authentication Guideline, recommends a risk analysis to determine a requirement for one of four levels of identity assurance. Authentication to use or create restricted market information requires at least Level 3 assurance with multifactor authentication: For electronic transactions, the Applicant shall identify himself/herself in each new electronic transaction by presenting a temporary secret which was established during a prior transaction or encounter, or sent to the Applicant s phone number, address, or physical address of record. Page 8

Authentication to use or create restricted market information requires at least Level 3 assurance with multifactor authentication: For electronic transactions, the Applicant shall

9 Rationale for Multifactor Authentication FFIEC Secure authentication supports grid reliability and cost optimization in fast-moving, high-volume markets. All markets carry various levels of financial risk. Identity assurance should not be one of those risks. The Federal Financial Institutions Examination Council (FFIEC) publishes guidelines on how financial transactions should be protected to ensure market trust. FFIEC guidelines state single-factor authentication alone is inadequate for protecting financial consumers. The agencies consider the use of single-factor authentication to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Page 9

The Federal Financial Institutions Examination Council (FFIEC) publishes guidelines on how financial transactions should be protected to ensure market trust.

10 Evaluation Phase The ISO is currently evaluating options for multifactor authentication. To protect the identities of our customers, we seek to develop a multifactor authentication framework using one knowledge factor (something you know) and one possession factor (something you have). Options for both factors are currently under discussion We seek your input. Page 10

framework using one knowledge factor (something you know) and one possession factor

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the