Flexible Vetting: Using a point System to Verify Identity. Jesse Rankin & Bert Bee-Lindgren Georgia Tech InCommon Assurance Call May 6, 2015

Similar documents
Audio: This overview module contains an introduction, five lessons, and a conclusion.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Using YSU Password Self-Service

Welcome to the ODE Secure Web Portal User Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Can We Reconstruct How Identity is Managed on the Internet?

Brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing?

Are Passwords Passé?

Employee Active Directory Self-Service Quick Setup Guide

Business Banking Customer Login Experience for Enhanced Login Security

The Benefits of an Industry Standard Platform for Enterprise Sign-On

HR Deans & Directors Meeting: IAM Update. July 14, 2015 Tuesday 2:00-2:30 p.m. Mass Hall, Perkins Room

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Step-up-authetication as a service

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Identity and Access Management PI-1 Demo. December 2, 2014 Tuesday 10:00 A.M. 6 Story Street

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Adding Receipts to your Certify Wallet

Workday Mobile Security FAQ

Voice Authentication On-Demand: Your Voice as Your Key

Configuration Guide - OneDesk to SalesForce Connector

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management

Mobile Driver s License Solution

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

Cloud Security: Yesterday, Today, and Tomorrow

Identity and Access Management PI-3 Demo. June 2, 2015 Tuesday 10:00-11:00 a.m. Lamont Forum Room

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Inventory Management and Tracking System. Frequently Asked Questions

Event and Exam Attendance Made Easy Using Mobile Devices

Who s There? A Methodology for Selecting Authentication Credentials. VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

Element. Payment Processing. Integration of Element. using N-Site Applications 7/12/2011

Vendor Questions. esignatures Request for information InsureSign

Information Technology Policy

Identity Management Overview. Bill Nelson Vice President of Professional Services

Biometric Recognition s Role in Identity Management

Canadian Access Federation: Trust Assertion Document (TAD)

U.S. Department of State, Selects Syclo SMART Mobile Suite For Maximo

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Multi-Factor Authentication Job Aide

What s it all about? SAFE-BioPharma Association

Deriving a Trusted Mobile Identity from an Existing Credential

June 5, 2013 Ken Klingenstein. Identity Management, the Cloud, NSTIC and Accessibility

Securing Adobe PDFs. Adobe - Certified Document Services Registration Authority (RA) Training. Enterprise Security. ID Verification Services

All your apps & data in the cloud, all in one place.

How to pull content from the PMP into Core Publisher

Distance Education Policies and Procedures

Attachment Y SaaS ITSM Demonstration and Scenarios

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Finance Office. Related Website:

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

300% increase 280 MILLION 65% re-use passwords $22 per helpdesk call Passwords can no longer protect you

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference

Glossary of Key Terms

FAQ Golf Canada Score Centre

Soft tokens for SMS PASSCODE SMS PASSCODE 2014

Vetting, Proofing and Registration Focus Group

Teacher Activities Page Directions

Innovations in Digital Signature. Rethinking Digital Signatures

Identity and Access Management Technical Oversight Committee

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Multi-Factor Authentication: All in This Together

Helpdesk

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Cisco Advanced Services for Network Security

Shared Services Canada (SSC)

Georgia Tech Active Directory Policy

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Identity Access Management IAM 101. Mike Conlon Director of Data Infrastructure

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Invest in security to secure investments. Breaking SAP Portal. Dmitry Chastuhin Principal Researcher at ERPScan

SELF SERVICE RESET PASSWORD MANAGEMENT SURVEY REPORT

AWS Account Management Guidance

Apache Milagro (incubating) An Introduction ApacheCon North America

Instructions to Sign On and Off of Self Service Applications. Internet Explorer 9 (IE9) Users: Turn Off Compatibility View:

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

SpringCM Troubleshooting Guide for Salesforce

1 Hitachi ID Password Manager

About the Canon Mobile Scanning MEAP Application

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

Contents LOGIN. Order an Official Transcript National Student Clearinghouse Tutorial Page 1 of 9

Federation Are We Ready? Alec Cartwright Authentication Common Capability Design Authority

out of the availity web portal

Account Activation. Guide

Agenda. 3 of our major ini,a,ves. Overview of cloud service offering Open Data Ini,a,ve New cloud based contract

Security Best Practices for Microsoft Azure Applications

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

Transcription:

Flexible Vetting: Using a point System to Verify Identity Jesse Rankin & Bert Bee-Lindgren Georgia Tech InCommon Assurance Call May 6, 2015

Agenda History Theory Practice Future

Vetting at Georgia Tech Self-service password recovery, v1 Same Security for everyone A Google incident cannot lead to a FERPA report GT Registrar Security Question, Shared secret, Repeat è Low success, helpdesk rates still high Pressures to improve Affiliation growth, far beyond students & employees Parents, applicants, guests, alumni, former employees, retirees, online students, etc Competition Beyond kneejerk My bank is easier than this Continuing-education alternatives Separate alumni accounts

What we learned Vetting security should be proportional to the account s access Email verification or Several rounds of questions Or, sometimes, in-person process is required Affiliations approximate security requirements Many password-recovery processes Self Service, IT Helpdesk, Registrar, PE, Delegated Admins Endless conversations can actually lead somewhere General agreement quickly, the rest took 2.5 years

Theory: An Approach Assemble questions from many places Enterprise: SIS, HRMS, Data Warehouse Alumni BuzzCard Housing Identity Score the questions Security value Difficulty - Phone (voice/text) - Email - Address (MC) - Plain answer Security levels assigned to Affiliations & Apps (Vetting disabled for some people)

Result: Flexible Vetting SelfService Claiming SelfService Recovery HelpDesk Phone Recovery BuzzCard PhotoID Verification PhotoID Upload Vetting APIs Vetting Points & Rules SIS HRMS... Identity

Demo: Start

Demo: Account Claiming

Account Claiming Demo: Search

Vetting Demo: Pick Account

Vetting Demo: Phone & Email

Vetting Demo: Email/Phone PIN

Vetting Demo: More Questions

Vetting Demo: Success

Vetting Demo: Not Enough Points

Vetting Demo: PhotoID Upload

Vetting Demo: Phone Support

Buzzcard Issuance & Vetting Problem: Applicants have lower vetting requirement than Students Accounts don t magically become more secure Solution: Piggyback on BuzzCard process: ID Checking Mark account vetting_strength=100 after Student with PhotoID enters Password

BuzzCard Issuance, 3 Steps 1. Photo ID Check Barcoded receipt after PhotoID is checked 2. Kiosk User scans Receipt, enters Account Password 3. BuzzCard Desk Uses receipt, takes picture and prints card

Future More data sources Social & InCommon account binding Browser cookies... Alumni: Full vs Partial Access Remote Students Security requirement Compute from Account s privileges (instead of epa) Consider recent authentication requests MFA (NOT: Using token as a recovery question) Lower vetting requirements of MFA-protected accounts? BuzzCard issuance, v3 Phone-a-friend

Providing Comments on NIST 800-63- 2 JACOB FARMER CHAIR, ASSURANCE ADVISORY COMMITTEE

Please browse to: h.p://csrc.nist.gov/groups/st/ eauthen:ca:on/sp800-63- 2_call- comments.html Or h.p://1.usa.gov/1cgnc8p (these go to the same page)

What schemas for establishing iden:ty assurance have proven effec:ve in providing an appropriate amount of security, privacy, usability, and trust based on the risk level of the online service or transac:on? How do they differen:ate trust based on risk? How is interoperability of divergent iden:ty solu:ons facilitated?

Could iden:ty assurance processes and technologies be separated into dis:nct components? If so, what should the components be and how would this provide appropriate level of iden:ty assurance?

What innova:ve approaches are available to increase confidence in remote iden:ty proofing? If possible, please share any performance metrics to corroborate increased confidence levels.

What privacy considera:ons arising from iden:ty assurance should be included in the revision? Are there specific privacy- enhancing technologies, requirements or architectures that should be considered?

What requirements, processes, standards, or technologies are currently excluded from 800-63- 2 that should be considered for future inclusion?

Should a representa:on of the confidence level in a.ributes be standardized in order to assist in making authoriza:on decisions? What form should that representa:on take?

What methods can be used to increase the trust or assurance level (some:mes referred to as trust eleva:on ) of an authen:cated iden:ty during a transac:on? If possible, please share any performance metrics to corroborate the efficacy of the proposed methods.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information