How Secure is Authentication?

Size: px
Start display at page:

Download "How Secure is Authentication?"

Transcription

1 U2F & UAF Tutorial

2 How Secure is Authentication? bn? m Dec m Oct m May m April m March m

3 Cloud Authentication

4 Password Issues Password might be entered into untrusted / Web-site ( phishing ) 1 Password could be stolen from the server 2 Inconvenient to type password on phone 4 Too many passwords to remember à re-use / cart abandonment 3

5 OTP Issues OTP vulnerable to realtime MITM and MITB attacks 1 Inconvenient to type OTP on phone 4 OTP HW tokens are expensive and people don t want another device 3 SMS security questionable, especially when Device is the phone 2

6 Implementation Challenge A Plumbing Problem User Verification Methods lications Organizations Silo 1 Silo 2 1 Silo 3 2? Silo N? New

7 Authentication Needs Do you want to login? Do you want to transfer $100 to Frank? Do you want to ship to a new address? Do you want to delete all of your s? Do you want to share your dental record? Authentication today: Ask user for a password (and perhaps a one time code)

8 Authentication & Risk Engines Purpose Geolocation (from IP addr.) Explicit Authentication Authentication Server Risk Engine

9 Summary 1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision

10 How does work? Device

11 Experiences ONLINE AUTH REQUEST Local USER Verification SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric or PIN Done SECOND FACTOR EXPERIENCE (U2F standards) Login & Password Insert Dongle, Press button Done

12 Universal 2 nd Factor (U2F)

13 How does U2F work? Verify user presence

14 How does U2F work? Is a user present? Same Authenticator as registered before? Can verify user presence

15 How does UAF work? Identity binding to be done outside : This this John Doe with customer ID X. Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t have an identity proof of the user.

16 How does U2F work? How is the key protected? Verify user presence

17 U2F Protocol Core idea: Standard public key cryptography: o User's device mints new key pair, gives public key to server o Server asks user's device to sign data to verify the user. o One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: o Privacy: Site specific keys, No unique ID per device o Security: No phishing, man-in-the-middles o Trust: Verify who made the device o Pragmatics: Affordable today, ride hardware cost curve down o Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-designed for modern consumer web"

18 U2F Authenticator U2F Registration Client / Browser ID, challenge Relying Party check ID a generate: key k pub key k priv handle h a; challenge, origin, channel id, etc. fc k pub, h, attestation cert, signature(a,fc,k pub,h) s fc, k pub, h, attestation cert, s cookie store: key k pub handle h

19 U2F Authentication U2F Authenticator Client / Browser handle, ID, challenge Relying Party check ID h a retrieve: key k priv from handle h; cntr++ h, a; challenge, origin, channel id, etc. fc cntr, signature(a,fc,cntr) retrieve key k pub from handle h s cntr, fc, s check signature using key k pub set cookie

20 User Presence API: Registration {"typ":"register", "challenge":"ksdjsdasas- AIS_AsS", "cid_pubkey": { "kty":"ec", "crv":"p- 256", "x":"hzqwlfxx7q4s5mtcrmzpo9toywjbqrl4tj8", "y":"xvgugflizx1fxg375hi4-7- BxhMljw42Ht4" navigator.handleregistrationrequest({ }, "origin":" } challenge : KSDJsdASAS- AIS_AsS, app_id : }, callback); callback = function(response) { sendtoserver( response[ clientdata ], response[ tokendata ]); };

21 User Presence API: Auth. { "typ":"authenticate", "challenge":"ksdjsdasas- AIS_AsS", "cid_pubkey": { "kty":"ec", "crv":"p- 256", "x":"hzqwlfxx7q4s5mtcrmzpo9toywjbqrl4tj8", "y":"xvgugflizx1fxg375hi4-7- BxhMljw42Ht4" }, "origin":" navigator.handleauthenticationrequest({ } challenge : KSDJsdASAS- AIS_AsS, app_id : key_handle : JkjhdsfkjSDFKJ_ld- sadsajdklsad }, callback); callback = function(response) { sendtoserver( response[ clientdata ], response[ tokendata ]); };

22 Authentication Example

23 Authentication Example

24 Authentication Example

25 Authentication Example

26 Universal Authentication Framework (UAF)

27 Experiences ONLINE AUTH REQUEST Local USER Verification SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric or PIN Done SECOND FACTOR EXPERIENCE (U2F standards) Login & Password Insert Dongle, Press button Done

28 How does UAF work? SE

29 How does UAF work? Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t have an identity proof of the user.

30 How does UAF work? Identity binding to be done outside : This this John Doe with customer ID X. Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t have an identity proof of the user.

31 How does UAF work? How is the key protected (TPM, SE, TEE, )? What user verification method is used? SE

32 Attestation & Metadata AUTHENTICATOR SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata

33 Device UAF Registration Relying Party Authenticator 0 Prepare Web Server

34 UAF Registration Authenticator 0 Prepare Web Server

35 UAF Registration Authenticator 0 Prepare Web Server

36 UAF Registration Authenticator 0 Prepare Web Server 1 Legacy Auth + Initiate Reg.

37 UAF Registration Authenticator 0 Prepare Web Server 1 Legacy Auth + Initiate Reg.

38 UAF Registration Authenticator 0 Prepare Web Server 1 Legacy Auth + Initiate Reg. Reg. Request + Policy 2

39 UAF Registration Pat Johnson Link your fingerprint Authenticator 0 1 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Web Server 2

40 UAF Registration Pat Johnson Link your fingerprint Authenticator 0 1 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Web Server 2

41 UAF Registration Pat Johnson Link your fingerprint Authenticator 0 1 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Web Server 2 3 Verify User & Generate New Key Pair (specific to RP Webapp)

42 UAF Registration Pat Johnson Link your fingerprint Authenticator Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Reg. Response Web Server 2 3 Verify User & Generate New Key Pair (specific to RP Webapp)

43 UAF Registration Pat Johnson Link your fingerprint Key Registration Data: Hash(FinalChallenge) AAID Public key KeyID Registration Counter Signature Counter Signature (attestation key) Authenticator Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Reg. Response Web Server 2 FinalChallenge=Hash(ID FacetID tlsdata challenge) 3 Verify User & Generate New Key Pair (specific to RP Webapp)

44 UAF Registration Pat Johnson Authenticator 0 Prepare Web Server 1 4 Legacy Auth + Initiate Reg. Reg. Request + Policy Reg. Response 2 3 Verify User & Generate New Key Pair (specific to RP Webapp) Success 5

45 Building Blocks USER DEVICE TLS Server Key RELYING PARTY BROWSER / APP UAF Protocol WEB SERVER CLIENT Cryptographic authentication key reference DB SERVER ASM Authentication keys AUTHENTICATOR Attestation key Authenticator Metadata & attestation trust store Metadata Service Update

46 AAID & Attestation Authenticator Using HW based crypto AAID 1 Based on FP Sensor X Attestation Key 1 Authenticator Pure SW based implementation Based on Face Recognition alg. Y AAID 2 Attestation Key 2 AAID: Authenticator Attestation ID (=model name)

47 Privacy & Attestation SERVER RP1 Model A Bob s Authenticator Using HW based crypto Based on FP Sensor X Model A Serial # SERVER RP2 Model A

48 Attestation & Metadata AUTHENTICATOR SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata

49 Facet ID / ID

50 UAF Authentication Authenticator 0 Prepare Web Server

51 UAF Authentication Authenticator 0 Prepare Web Server

52 UAF Authentication Authenticator 0 Prepare Web Server

53 UAF Authentication Authenticator 0 Prepare Web Server

54 UAF Authentication Authenticator 0 Prepare Web Server 1 Initiate Authentication

55 UAF Authentication Authenticator 0 Prepare Initiate Authentication Auth. Request with Challenge 1 Web Server 2

56 UAF Authentication Authenticator 0 Prepare Web Server Just a sec our secure payment technology is working its magic. Initiate Authentication Auth. Request with Challenge 1 2

57 UAF Authentication Pat Johnson Authenticator 0 Prepare Web Server Initiate Authentication Auth. Request with Challenge Verify User & Sign Challenge (Key specific to RP Webapp)

58 UAF Authentication Authenticator 0 Prepare Web Server Pat Johnson 650 Castro Street Mountain View, CA United States Initiate Authentication Auth. Request with Challenge Auth. Response Verify User & Sign Challenge (Key specific to RP Webapp)

59 UAF Authentication Authenticator 0 Prepare Web Server SignedData: SignatureAlg Hash(FinalChallenge) Authenticator random Signature Counter Pat Johnson 650 Castro Street Mountain View, CA United States Signature Initiate Authentication Auth. Request with Challenge Auth. Response FinalChallenge=Hash(ID FacetID tlsdata challenge) 3 Verify User & Sign Challenge (Key specific to RP Webapp)

60 UAF Authentication Pat Johnson Payment complete! Return to the merchant s web site to continue shopping Return to the merchant Authenticator 3 0 Prepare Initiate Authentication Auth. Request with Challenge Auth. Response 1 4 Verify User & Sign Challenge (Key specific to RP Webapp) Success Web Server 2 5

61 Transaction Confirmation Device Relying Party Authenticator Browser or Native 1 Initiate Transaction Web Server Authentication Request + Transaction Text 2 4 Authentication Response + Text Hash, signed by User s private key 5 3 Display Text, Verify User & Unlock Private Key (specific to User + RP Webapp) Validate Response & Text Hash using User s Public Key

62 Transaction Confirmation Device Relying Party Authenticator Browser or Native 1 Initiate Transaction Web Server SignedData: SignatureAlg Authentication Request Hash(FinalChallenge) + Transaction Text Authenticator random Signature Counter Hash(Transaction Authentication Response 4 Text) Signature + Text Hash, signed by User s private key FinalChallenge=Hash(ID FacetID 3 tlsdata challenge) Display Text, Verify User & Unlock Private Key (specific to User + RP Webapp) 2 5 Validate Response & Text Hash using User s Public Key

63 The Authenticator Concept Injected at manufacturing, doesn t change Authenticator User Verification / Presence Attestation Key Transaction Confirmation Display Authentication Key(s) Optional Components Generated at runtime (on Registration)

64 Using Secure Hardware Authenticator in SIM Card User Verification (PIN) SIM Card Attestation Key Authentication Key(s)

65 Client Side Biometrics Trusted Execution Environment (TEE) Authenticator as Trusted lication (TA) User Verification / Presence Attestation Key Store at Enrollment Authentication Key(s) Compare at Authentication Unlock after comparison

66 Combining TEE and SE Trusted Execution Environment (TEE) Authenticator as Trusted lication (TA) e.g. GlobalPlatform Trusted UI User Verification / Presence Transaction Confirmation Display Secure Element Attestation Key Authentication Key(s)

67 UAF Specifications

68 & Federation

69 Source: Paul Madsen, Seminar, May 2014

70 Source: Paul Madsen, Seminar, May 2014

71 Complementary o Insulates authentication server from specific authenticators o Focused solely on primary authentication o Does not support attribute sharing o Can communicate details of authentication to server Federation o Insulates applications from identity providers o Does not address primary authentication o Does enable secondary authentication & attribute sharing o Can communicate details of authentication from IdP to SP Source: Paul Madsen, Seminar, May 2014

72 & Federation First Mile Second Mile USER DEVICE IdP Service Provider BROWSER / APP UAF Protocol FEDERATION SERVER Federation CLIENT Id DB AUTHENTICATOR SERVER Knows details about the Authentication strength Knows details about the Identity and its verification strength.

73 & Federation Assurance High SSO slide Low status quo federatio n No more Password123 bump High Frequency of login Low Source: Paul Madsen, Seminar, May 2014

74 & Federation High Assurance Continuum federatio n Low status quo High Frequency of login Low Source: Paul Madsen, Seminar, May 2014

75 & Federation High Assurance + federatio n federatio n Low status quo High Frequency of login Low Source: Paul Madsen, Seminar, May 2014

76 at Industry Event Readiness SIM as Secure Element Fingerprint, TEE, Mobile Speaker Recognition Mobile via NFC PIN + MicroSD USB

77 ReadyTM Products Shipping today OEM Enabled: Samsung Galaxy S5 smartphone & Galaxy Tab S tablets OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors Clients available for these operating systems: Software Authenticator Examples: Speaker/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element

78 is used Today

79 Conclusion Different authentication use-cases lead to different authentication requirements Today, we have authentication silos separates user verification from authentication protocol and hence supports all user verification methods supports scalable security and convenience User verification data is known to Authenticator only complements federation è Consider developing or piloting -based authentication solutions Dr. Rolf Lindemann, Nok Nok Labs,

How Secure is Authentication?

How Secure is Authentication? FIDO UAF Tutorial How Secure is Authentication? How Secure is Authentication? How Secure is Authentication? Cloud Authentication Password Issues Password might be entered into untrusted App / Web-site

More information

Scalable Authentication

Scalable Authentication Scalable Authentication Rolf Lindemann Nok Nok Labs, Inc. Session ID: ARCH R07 Session Classification: Intermediate IT Has Scaled Technological capabilities: (1971 2013) Clock speed x4700 #transistors

More information

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs Rolf Lindemann, Nok Nok Labs cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 Authentication in Context Single Sign-On Modern Authentication Federation

More information

Device-Centric Authentication and WebCrypto

Device-Centric Authentication and WebCrypto Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the

More information

UAF Architectural Overview

UAF Architectural Overview 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 UAF Architectural Overview Specification Set: fido-uaf-v1.0-rd-20140209 REVIEW DRAFT Editors: Rob Philpott, RSA, the Security Division of EMC Sampath

More information

NOK NOK LABS AUTHENTICATION & OTT SERVICES

NOK NOK LABS AUTHENTICATION & OTT SERVICES NOK NOK LABS AUTHENTICATION & OTT SERVICES RAJIV DHOLAKIA VP PRODUCTS & BUSINESS DEVELOPMENT 1 NOK NOK LABS The authentication challenge A DILEMMA UNTIL WE CAN TRULY RECOGNIZE PEOPLE ONLINE, IN REAL TIME...

More information

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation.

More information

TECHNICAL WHITE PAPER NOK NOK LABS MULTIFACTOR AUTHENTICATION. Any device. Any application. Any authenticator.

TECHNICAL WHITE PAPER NOK NOK LABS MULTIFACTOR AUTHENTICATION. Any device. Any application. Any authenticator. TECHNICAL WHITE PAPER NOK NOK LABS MULTIFACTOR AUTHENTICATION Any device. Any application. Any authenticator. Table of Contents Introduction... 3 The Problem With Authentication Today... 4 New Possibilities...

More information

White Paper: Multi-Factor Authentication Platform

White Paper: Multi-Factor Authentication Platform White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all

More information

Improving Online Security with Strong, Personalized User Authentication

Improving Online Security with Strong, Personalized User Authentication Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware

More information

Security Levels for Web Authentication using Mobile Phones

Security Levels for Web Authentication using Mobile Phones Security Levels for Web Authentication using Mobile Phones Anna Vapen and Nahid Shahmehri Department of computer and information science Linköpings universitet, SE-58183 Linköping, Sweden {annva,nahsh}@ida.liu.se

More information

Applying Cryptography as a Service to Mobile Applications

Applying Cryptography as a Service to Mobile Applications Applying Cryptography as a Service to Mobile Applications SESSION ID: CSV-F02 Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Introduction This presentation proposes a Cryptography

More information

Two Factor Authentication for VPN Access

Two Factor Authentication for VPN Access Trends in cloud computing, workforce mobility, and BYOD policies have introduced serious new vulnerabilities for enterprise networks. Every few weeks, we learn about a new instance of compromised security.

More information

FIDO Security Reference

FIDO Security Reference FIDO Security Reference FIDO Alliance Proposed Standard 09 October 2014 This version: https://fidoalliance.org/specs/fido uaf authnr metadata service v1.0 ps 20141009.html Previous version: https://fidoalliance.org/specs/fido

More information

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On Public Speakers Las Vegas, Oct 19-23 Christian Cohrs, Area Product Owner Barcelona, Nov 10-12 Regine Schimmer, Product Management

More information

Trends in Mobile Authentication. cnlab security ag, obere bahnhofstr. 32b, CH-8640 rapperswil-jona esther.haenggi@cnlab.ch, +41 55 214 33 36

Trends in Mobile Authentication. cnlab security ag, obere bahnhofstr. 32b, CH-8640 rapperswil-jona esther.haenggi@cnlab.ch, +41 55 214 33 36 Trends in Mobile Authentication cnlab security ag, obere bahnhofstr. 32b, CH-8640 rapperswil-jona esther.haenggi@cnlab.ch, +41 55 214 33 36 E-banking authentication mtan 2 Phishing passiv Man-in-the-Middle

More information

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics

More information

Entrust IdentityGuard

Entrust IdentityGuard +1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's

More information

The Password Problem Will Only Get Worse

The Password Problem Will Only Get Worse The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois & SEQRD ijones@seqrd.com @SyntaxPolice Goals & Talk outline Update the group on authentication

More information

Apache Milagro (incubating) An Introduction ApacheCon North America

Apache Milagro (incubating) An Introduction ApacheCon North America Apache Milagro (incubating) An Introduction ApacheCon North America Apache Milagro will establish a new independent security framework for the Internet A Distributed Cryptosystem Secure the Future of the

More information

SAP Single Sign-On 2.0 Overview Presentation

SAP Single Sign-On 2.0 Overview Presentation SAP Single Sign-On 2.0 Overview Presentation March 2016 Public Agenda SAP security portfolio Overview SAP Single Sign-On Single sign-on main scenarios Capabilities Summary 2016 SAP SE or an SAP affiliate

More information

Crypho Security Whitepaper

Crypho Security Whitepaper Crypho Security Whitepaper Crypho AS Crypho is an end-to-end encrypted enterprise messenger and file-sharing application. It achieves strong privacy and security using well-known, battle-tested encryption

More information

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict 2010. All rights reserved

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict 2010. All rights reserved Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010 Fedict 2010. All rights reserved What is Entity Authentication? Entity authentication is the process whereby one party

More information

CRYPTOGRAPHY AS A SERVICE

CRYPTOGRAPHY AS A SERVICE CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,

More information

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user

More information

esign Online Digital Signature Service

esign Online Digital Signature Service esign Online Digital Signature Service Government of India Ministry of Communications and Information Technology Department of Electronics and Information Technology Controller of Certifying Authorities

More information

Secure Authentication for the Development of Mobile Internet Services Critical Considerations

Secure Authentication for the Development of Mobile Internet Services Critical Considerations Secure Authentication for the Development of Mobile Internet Services Critical Considerations December 2011 V1 Mobile Internet Security Working Group, SIMalliance AGENDA SIMalliance presentation What s

More information

API-Security Gateway Dirk Krafzig

API-Security Gateway Dirk Krafzig API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing

More information

Information Security

Information Security Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked

More information

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used? esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents

More information

Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model

Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model Andrew Rolfe Authentify, Inc. Andy.Rolfe@Authentify.com Presentation Overview Authentication basics What is OOBA? Why is it important?

More information

IDRBT Working Paper No. 11 Authentication factors for Internet banking

IDRBT Working Paper No. 11 Authentication factors for Internet banking IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased

More information

Authentication Scenarios India. Ramachandran

Authentication Scenarios India. Ramachandran Authentication Scenarios India Ramachandran India 1.2 billion residents -640,000 villages -~800 million mobile, ~200-300 mn migrant workers Authentication Scenarios Government e-praman authentication framework

More information

Security Levels for Web Authentication Using Mobile Phones

Security Levels for Web Authentication Using Mobile Phones Security Levels for Web Authentication Using Mobile Phones Anna Vapen and Nahid Shahmehri Department of Computer and Information Science, Linköping University, SE-58183 Linköping, Sweden {anna.vapen,nahid.shahmehri}@liu.se

More information

USER-FAQ (2FA) Q. What are the key features of Fraud Management Solution (Baroda isecure)?

USER-FAQ (2FA) Q. What are the key features of Fraud Management Solution (Baroda isecure)? USER-FAQ (2FA) Q. What is Fraud Management Solution (Baroda isecure)? Ans. Fraud Management Solution (Baroda isecure) is an enhanced security solution which helps reduce chances of phishing attack on customer

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

From Edge to the Core. Sicurezza dati nelle infrastrutture condivise, virtualizzate e cloud.

From Edge to the Core. Sicurezza dati nelle infrastrutture condivise, virtualizzate e cloud. From Edge to the Core. Sicurezza dati nelle infrastrutture condivise, virtualizzate e cloud. Claudio Olati Sales Manager - Gemalto Sergio Sironi Regional Sales Manager - Safenet We are the world leader

More information

FIDO Trust Requirements

FIDO Trust Requirements FIDO Trust Requirements Ijlal Loutfi, Audun Jøsang University of Oslo Mathematics and Natural Sciences Faculty NordSec 2015,Stockholm, Sweden October, 20 th 2015 Working assumption: End Users Platforms

More information

Reviewer Guide Core Functionality

Reviewer Guide Core Functionality securing your personal data Sticky Password Reviewer Guide Core Functionality Sticky Password is the password manager for the entire lifecycle of your passwords. Strong passwords the built-in password

More information

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS Plurilock Security Solutions Inc. www.plurilock.com info@plurilock.com 2 H IGHLIGHTS: PluriPass is Plurilock static keystroke dynamic biometric

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

Loxin A Solution to Password-less Universal Login

Loxin A Solution to Password-less Universal Login Loxin A Solution to Password-less Universal Login Bo Zhu, Xinxin Fan, and Guang Gong University of Waterloo {bo.zhu,x5fan,ggong}@uwaterloo.ca Abstract. As the easiest and cheapest way of authenticating

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Multi-Factor Authentication of Online Transactions

Multi-Factor Authentication of Online Transactions Multi-Factor Authentication of Online Transactions Shelli Wobken-Plagge May 7, 2009 Agenda How are economic and fraud trends evolving? What tools are available to secure online transactions? What are best

More information

What s wrong with FIDO?

What s wrong with FIDO? Patented What s wrong with FIDO? Nikos Leoutsarakos Tiny bio Nikos has a Physics background and a M.Sc. in Computer science from McGill University in Montreal, Canada, where he lives with his wife and

More information

Network Security Protocols

Network Security Protocols Network Security Protocols EE657 Parallel Processing Fall 2000 Peachawat Peachavanish Level of Implementation Internet Layer Security Ex. IP Security Protocol (IPSEC) Host-to-Host Basis, No Packets Discrimination

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

OpenID & Strong Authentication

OpenID & Strong Authentication OpenID & Strong Authentication CTST 2009: Emerging Technology D14: Smart Cards, Tokens & Digital Identity May 5, 2009 Brian Kelly Vice President TrustBearer Labs Simplify Multi-factor authentication can

More information

Extending APS Packages with Single Sign On. Brian Spector, CEO, CertiVox / Gene Myers, VP Engineering, CertiVox

Extending APS Packages with Single Sign On. Brian Spector, CEO, CertiVox / Gene Myers, VP Engineering, CertiVox Extending APS Packages with Single Sign On Brian Spector, CEO, CertiVox / Gene Myers, VP Engineering, CertiVox Introducing APS 2.0 A Platform for Integration APS Dynamic UI HTML5 Extensibility Certified

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

STRONGER AUTHENTICATION for CA SiteMinder

STRONGER AUTHENTICATION for CA SiteMinder STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive

More information

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions June 2013 Dirk Roziers Market Manager PC Client Services Intel Corporation

More information

A Method of Risk Assessment for Multi-Factor Authentication

A Method of Risk Assessment for Multi-Factor Authentication Journal of Information Processing Systems, Vol.7, No.1, March 2011 DOI : 10.3745/JIPS.2011.7.1.187 A Method of Risk Assessment for Multi-Factor Authentication Jae-Jung Kim* and Seng-Phil Hong** Abstract

More information

Mobile Connect & FIDO

Mobile Connect & FIDO Mobile Connect & FIDO About the GSMA The GSMA represents the interests of mobile operators worldwide Spanning more than 220 countries, the GSMA unites nearly 800 of the world s mobile operators, as well

More information

Business Banking Customer Login Experience for Enhanced Login Security

Business Banking Customer Login Experience for Enhanced Login Security Business Banking Customer Login Experience for Enhanced Login Security User credentials uniquely identify each person who uses the banking platform. The intent of authentication is unequivocal verification

More information

Implementing Identity Provider on Mobile Phone

Implementing Identity Provider on Mobile Phone Implementing Identity Provider on Mobile Phone Tsuyoshi Abe, Hiroki Itoh, and Kenji Takahashi NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midoricho, Musashino-shi, Tokyo 180-8585,

More information

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc. Implementing two-factor authentication: Google s experiences Cem Paya (cemp@google.com) Information Security Team Google Inc. Google services and personalization Identity management at Google 1. Internal

More information

True Identity solution

True Identity solution Identify yourself securely. True Identity solution True Identity authentication and authorization for groundbreaking security across multiple applications including all online transactions Biogy Inc. Copyright

More information

Procedure for How to Enroll for Digital Signature

Procedure for How to Enroll for Digital Signature Procedure for How to Enroll for Digital Signature In Online Processing System getting to implement Digital Signature and Electronic Token for security and Authentication Purpose. For that bidder must have

More information

Is Consumer-Oriented Strong Authentication Finally Here to Stay? Arshad Noor, CTO, StrongAuth, Inc. Professional Strategies S22

Is Consumer-Oriented Strong Authentication Finally Here to Stay? Arshad Noor, CTO, StrongAuth, Inc. Professional Strategies S22 Is Consumer-Oriented Strong Authentication Finally Here to Stay? Arshad Noor, CTO, StrongAuth, Inc. Professional Strategies S22 Historical Perspective Password-based authentication invented at least 4-5

More information

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy View from a European Trust Service Provider Server Signing: Return of experience and certification strategy January 16, 2014 - Berlin Thibault de Valroger VP Strategy & Development OPENTRUST Thibault.devalroger@opentrust.com

More information

A STRONG IDENTITY IN THE ONLINE FINANCIAL WORLD OF TOMORROW

A STRONG IDENTITY IN THE ONLINE FINANCIAL WORLD OF TOMORROW A STRONG IDENTITY IN THE ONLINE FINANCIAL WORLD OF TOMORROW July 2012 WHITEPAPER BY MARK BAAIJENS, MANAGING CONSULTANT FOR THE PAYMENT COMPETENCE CENTER Author Mark finished his Master of Science degree

More information

SECUREAUTH IDP AND OFFICE 365

SECUREAUTH IDP AND OFFICE 365 WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that

More information

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access Vikas Jain Director, Product Management Intel Corporation Jesper Tohmo CTO, Nordic Edge (an Intel company) Session ID:

More information

MOBILE VOICE BIOMETRICS MEETING THE NEEDS FOR CONVENIENT USER AUTHENTICATION. A Goode Intelligence white paper sponsored by AGNITiO

MOBILE VOICE BIOMETRICS MEETING THE NEEDS FOR CONVENIENT USER AUTHENTICATION. A Goode Intelligence white paper sponsored by AGNITiO MOBILE VOICE BIOMETRICS MEETING THE NEEDS FOR CONVENIENT USER AUTHENTICATION A Goode Intelligence white paper sponsored by AGNITiO First Edition September 2014 Goode Intelligence All Rights Reserved Sponsored

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

Security and Usability

Security and Usability Security and Usability David Hunt: DCH Technology Services A Financial Services View Active Security Passive Security Technologies Impact on Users Big Data Consumer context, do we know you? Active Security

More information

Using Authorize.net for Credit Card Processing in YogaReg

Using Authorize.net for Credit Card Processing in YogaReg Using Authorize.net for Credit Card Processing in YogaReg 1. Obtain a credit card merchant account. If you already process credit cards via a terminal, you already have one. You can contact your bank,

More information

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes AUTHENTIFIERS Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes Authentify delivers intuitive and consistent authentication technology for use with smartphones,

More information

TrustedX: eidas Platform

TrustedX: eidas Platform TrustedX: eidas Platform Identification, authentication and electronic signature platform for Web environments. Guarantees identity via adaptive authentication and the recognition of either corporate,

More information

Evaluation and Implementation of SQRL and U2F as 2 nd Factor Authenticators for CERN Single Sign-On

Evaluation and Implementation of SQRL and U2F as 2 nd Factor Authenticators for CERN Single Sign-On Evaluation and Implementation of SQRL and U2F as 2 nd Factor Authenticators for CERN Single Sign-On September 2015 Author: Azqa Nadeem Supervisors: Vincent Brillault Stefan Lueders CERN Openlab Summer

More information

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014 Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent

More information

Identity Management. Prof Audun Jøsang Department of Informatics University of Oslo. Finse May 2014

Identity Management. Prof Audun Jøsang Department of Informatics University of Oslo. Finse May 2014 Identity Management Prof Audun Jøsang Department of Informatics University of Oslo Finse May 2014 The concept of identity Entities have Identities consist of Attributes Systems Persons A B C Names, Identifiers

More information

Mobile multifactor security

Mobile multifactor security Mobile multifactor security A revolution in authentication and digital signing Mobile multifactor security A revolution in authentication and digital signing Smartphones will continue to ship in high volumes,

More information

Advanced Authentication

Advanced Authentication White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

More information

Understanding the Role of Smart Cards for Strong Authentication in Network Systems. Bryan Ichikawa Deloitte Advisory

Understanding the Role of Smart Cards for Strong Authentication in Network Systems. Bryan Ichikawa Deloitte Advisory Understanding the Role of Smart Cards for Strong Authentication in Network Systems Bryan Ichikawa Deloitte Advisory Overview This session will discuss the state of authentication today, identify some of

More information

Strong Authentication for Secure VPN Access

Strong Authentication for Secure VPN Access Strong Authentication for Secure VPN Access Solving the Challenge of Simple and Secure Remote Access W H I T E P A P E R EXECUTIVE SUMMARY In today s competitive and efficiency-driven climate, organizations

More information

FIDO: Fast Identity Online Alliance Privacy Principles Whitepaper vfeb2014

FIDO: Fast Identity Online Alliance Privacy Principles Whitepaper vfeb2014 FIDO: Fast Identity Online Alliance Privacy Principles Whitepaper vfeb2014 The FIDO Alliance: Privacy Principles Whitepaper Page 1 of 7 FIDO Privacy Principles Introduction The FIDO Alliance is a non-profit

More information

French Justice Portal. Authentication methods and technologies. Page n 1

French Justice Portal. Authentication methods and technologies. Page n 1 French Justice Portal Authentication methods and technologies n 1 Agenda Definitions Authentication methods Risks and threats Comparison Summary Conclusion Appendixes n 2 Identification and authentication

More information

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords Mika Devonshire Associate Product Manager 1 Agenda 2 What is Cybersecurity? Quick overview of the core concepts 3 Cybercrime

More information

Multi Factor Authentication API

Multi Factor Authentication API GEORGIA INSTITUTE OF TECHNOLOGY Multi Factor Authentication API Yusuf Nadir Saghar Amay Singhal CONTENTS Abstract... 3 Motivation... 3 Overall Design:... 4 MFA Architecture... 5 Authentication Workflow...

More information

WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords WHITE PAPER AUGUST 2014 Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords 2 WHITE PAPER: PREVENTING SECURITY BREACHES Table of Contents on t Become the Next Headline

More information

QR-CODE BASED NON-REPUDIATION TRANSACTION VERIFICATION SYSTEM

QR-CODE BASED NON-REPUDIATION TRANSACTION VERIFICATION SYSTEM QR-CODE BASED NON-REPUDIATION TRANSACTION VERIFICATION SYSTEM Jakub Nantl 1 1 Silesian University in Opava, School of Business Administration in Karvina, Univerzitní nám. 1934/3, 733 40 Karviná Email:

More information

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to

More information

International Journal of Software and Web Sciences (IJSWS) www.iasir.net

International Journal of Software and Web Sciences (IJSWS) www.iasir.net International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) ISSN (Print): 2279-0063 ISSN (Online): 2279-0071 International

More information

Article. Electronic Notary Practices. Copyright Topaz Systems Inc. All rights reserved.

Article. Electronic Notary Practices. Copyright Topaz Systems Inc. All rights reserved. Article Electronic Notary Practices Copyright Topaz Systems Inc. All rights reserved. For Topaz Systems, Inc. trademarks and patents, visit www.topazsystems.com/legal. Table of Contents Key Features and

More information

Mobile Electronic Payments

Mobile Electronic Payments Chapter 7 Mobile Electronic Payments 7.1 Rationale and Motivation Mobile electronic payments are rapidly becoming a reality. There is no doubt that users of mobile phones are willing and even asking to

More information

YubiKey Integration for Full Disk Encryption

YubiKey Integration for Full Disk Encryption YubiKey Integration for Full Disk Encryption Pre-Boot Authentication Version 1.2 May 7, 2012 Introduction Disclaimer yubico Yubico is the leading provider of simple, open online identity protection. The

More information

Brainloop Secure Dataroom Version 8.30. QR Code Scanner Apps for ios Version 1.1 and for Android

Brainloop Secure Dataroom Version 8.30. QR Code Scanner Apps for ios Version 1.1 and for Android Brainloop Secure Dataroom Version 8.30 QR Code Scanner Apps for ios Version 1.1 and for Android Quick Guide Brainloop Secure Dataroom Version 8.30 Copyright Brainloop AG, 2004-2015. All rights reserved.

More information

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec 2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec TECHNOLOGY WHITEPAPER DSWISS LTD INIT INSTITUTE OF APPLIED INFORMATION TECHNOLOGY JUNE 2010 V1.0 1 Motivation With the increasing

More information

Android pay. Frequently asked questions

Android pay. Frequently asked questions Android pay Frequently asked questions June 2015 Android Pay - FAQs In May 2015, Android Pay was announced by Google. Android Pay is Google s payments solution that allows consumers to do in-store and

More information

Federated Identity and Single-Sign On

Federated Identity and Single-Sign On CS 6393 Lecture 5 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013 ravi.sandhu@utsa.edu www.profsandhu.com Ravi Sandhu 1 The Web Today User

More information

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity) Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital

More information

Software Token Security & Provisioning: Innovation Galore!

Software Token Security & Provisioning: Innovation Galore! Software Token Security & Provisioning: Innovation Galore! Kenn Min Chong, Principal Product Manager SecurID, RSA Emily Ryan, Security Solution Architect, Intel Michael Lyman, Product Marketing Manager,

More information

TIB 2.0 Administration Functions Overview

TIB 2.0 Administration Functions Overview TIB 2.0 Administration Functions Overview Table of Contents 1. INTRODUCTION 4 1.1. Purpose/Background 4 1.2. Definitions, Acronyms and Abbreviations 4 2. OVERVIEW 5 2.1. Overall Process Map 5 3. ADMINISTRATOR

More information

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure) Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.

More information

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication Ken Scudder Senior Director Business Development & Strategic Alliances XYPRO Technology Talbot A. Harty CEO DeviceAuthority XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

More information

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP White Paper FFIEC Authentication Compliance Using SecureAuth IdP September 2015 Introduction Financial institutions today face an important challenge: They need to comply with guidelines established by

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information