OpenID & Strong Authentication



Similar documents
The Password Problem Will Only Get Worse

SAML for EPCS (Electronic Prescription of Controlled Substances)

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Scalable Authentication

NIST E-Authentication Guidance SP and Biometrics

Enhancing Web Application Security

A Method of Risk Assessment for Multi-Factor Authentication

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Can We Reconstruct How Identity is Managed on the Internet?

Building Secure Applications. James Tedrick

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Enable Your Applications for CAC and PIV Smart Cards

The Top 5 Federated Single Sign-On Scenarios

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Agenda. How to configure

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

User Identity and Authentication

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing

How Secure is Authentication?

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

WHITE PAPER Usher Mobile Identity Platform

Trend of Federated Identity Management for Web Services

Multi Factor Authentication API

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

User Authentication Guidance for IT Systems

Adding Stronger Authentication to your Portal and Cloud Apps

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

Mobile Security. Policies, Standards, Frameworks, Guidelines

Authentication Scenarios India. Ramachandran

Multi-Factor Authentication of Online Transactions

Case Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone

How Secure is Authentication?

ARCHIVED PUBLICATION

HOL9449 Access Management: Secure web, mobile and cloud access

Secure Your Enterprise with Usher Mobile Identity

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Single Sign On. SSO & ID Management for Web and Mobile Applications

ADFS Integration Guidelines

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

Single Sign On Implementation Guide

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Flexible Identity Federation

NOK NOK LABS AUTHENTICATION & OTT SERVICES

TIB 2.0 Administration Functions Overview

HP Software as a Service. Federated SSO Guide

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Authentication, Authorization, and Audit Design Pattern: External User Authentication

One-Time Password Contingency Access Process

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Deriving a Trusted Mobile Identity from an Existing Credential

Secure Identity in Cloud Computing

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

An NSTIC-Compliant Identity Ecosystem For Preventing Consumer Identity Theft

Increase the Security of Your Box Account With Single Sign-On

ABFAB and OpenStack(in the Cloud)

NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Apache Milagro (incubating) An Introduction ApacheCon North America

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Department of Veterans Affairs Two-Factor Authentication MobilePASS Quick Start Guide November 18, 2015

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

SAM Context-Based Authentication Using Juniper SA Integration Guide

Authentication and Single Sign On

Multi-Factor Authentication (MFA)

OpenLogin: PTA, SAML, and OAuth/OpenID

Egnyte Single Sign-On (SSO) Installation for OneLogin

OpenID and identity management in consumer services on the Internet

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Multi-Factor Authentication for first time users

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Step-up-authetication as a service

Security Upgrade FAQs

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Identity Implementation Guide

Multi-Factor Authentication Job Aide

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust

Authentication Tokens

Transcription:

OpenID & Strong Authentication CTST 2009: Emerging Technology D14: Smart Cards, Tokens & Digital Identity May 5, 2009 Brian Kelly Vice President TrustBearer Labs

Simplify Multi-factor authentication can be made easier to use and implement by utilizing Web Single Sign On (SSO) standards SAML 2

SAML Enterprise focused Bulk-provisioning (onthe-fly supported) Identity Provider is internal to organization (typically) Commercial and OS products available Consumer focused On-the-flyprovisioning Many identity providers available online for consumers to choose Mostly open-source, and COTS services 3

How does SAML work? verifies signed assertions Login Web Page creates signed assertions App 1 User is logged-in to web app SAML ID Provider App 2 authenticates s App 3 LDAP Other Auth. SAML Service Providers (consumers) 4

How does OpenID work? Consumer Web App Page Login Web app verifies previously enrolled OpenID User is logged-in to web app Consumer Web App OpenID Relying Party (consumer) User authenticates to IDP and enables account to be used with consumer site 5

End-point authentication is agnostic of SSO standard All methods can be supported by SAML or OpenID name / password one time password (OTP) tokens smart cards (e.g. PIV, CAC, FRAC) TPM client digital certificates information cards biometrics image verification 6

Identity Provider offers endpoint authentication options Google, Yahoo, AOL: password myopenid: password, phone verify, client certificate, info card VeriSign PIP: OTP, client certificate, info card, EV SSL TrustBearer: smart cards (CAC, PIV, etc.), biometrics Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 7

What authentication method to choose? 8

Required Protections for OMB s E-Auth Assurance Levels Protect against Level 1 Level 2 Level 3 Level 4 On-line guessing Replay Eavesdropper Verifier impersonation Man-in-the-middle Session hijacking From NIST SP 800-63 p. 39 9

Token Types Allowed At Each Assurance Level Token Type Level 1 Level 2 Level 3 Level 4 Hard Crypto Token One-time password device Soft crypto token Passwords & PINs From NIST SP 800-63 p. 39 10

OpenID Provider Authentication Policy Extension (PAPE) Provides a way for Relying Parties to request / view authentication policies of Identity Provider Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 11

TrustBearer OpenID What we do What we could do Challenge/response with PIN or Bio verification Allow multiple tokens per account Implement PAPE No name / password option Some SAML support Path validation & revocation checking Use SReg to transmit data on card Allow RPs to request certain smart cards or tokens be used More SAML Support 12

How Government OpenID with smart card auth could work Citizen Web App Page Login OpenID + Sreg + PAPE Data sent to Gov t Web app, Info is verified Citizen is logged-in to web app U.S. Gov t Gov t Web App OpenID Relying Party (consumer) Web app (RP) includes U.S. Gov t OpenID Provider on it s trusted list User is directed to government OpenID provider, which uses CAC / PIV Smart card to authenticate 13 Path Validation & Certificate Revocation Checking

In-the-cloud strong-auth benefits over traditional Client Auth with SSL Less infrastructure / less coding Path validation & revocation checking work is offloaded to Identity Provider Authentication methods can scale up and down depending on application needs Non-cert data on smart card becomes useful (e.g. healthcare) 14

Questions? https://openid.trustbearer.com Brian Kelly brian.kelly@trustbearer.com twitter.com/trustbearer Vice President TrustBearer Labs

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information