Who s There? A Methodology for Selecting Authentication Credentials. VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu

Similar documents
Multi-factor Authentication Considerations for InCommon Silver. Mary Dunker Virginia Tech InCommon Confab April 26, 2012

NIST E-Authentication Guidance SP and Biometrics

FINAL Version 1.1 April 13, 2011

E-Authentication Guidance for Federal Agencies

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Identity, Credential, and Access Management. Open Solutions for Open Government

Department of Veteran Affairs VA HANDBOOK 6510 VA IDENTITY AND ACCESS MANAGEMENT

Best Practice Guideline G07-001

NC CJIN Governing Board. 13 October, George A. White

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Canadian Access Federation: Trust Assertion Document (TAD)

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Yale Software Library

Smart Card Two Factor Authentication

Canadian Access Federation: Trust Assertion Document (TAD)

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association

Evaluation of different Open Source Identity management Systems

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Introducing etoken. What is etoken?

Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Authentication Tokens

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

Future directions of the AusCERT Certificate Service

Procedure for How to Enroll for Digital Signature

Multi-Factor Authentication

Modern Multi-factor and Remote Access Technologies

French Justice Portal. Authentication methods and technologies. Page n 1

Glossary of Key Terms

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Biometric SSO Authentication Using Java Enterprise System

API-Security Gateway Dirk Krafzig

Understanding the Role of Smart Cards for Strong Authentication in Network Systems. Bryan Ichikawa Deloitte Advisory

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

IT Governance Committee Review and Recommendation

Enhancing Web Application Security

White Paper. Authentication and Access Control - The Cornerstone of Information Security. Vinay Purohit September Trianz 2008 White Paper Page 1

Multi-Factor Authentication of Online Transactions

RSA SecurID Software Token Security Best Practices Guide

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Vidder PrecisionAccess

ARCHIVED PUBLICATION

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Advanced Authentication

ADVANCE AUTHENTICATION TECHNIQUES

etoken Single Sign-On 3.0

Introduction to Online Identity Management By Thomas J. Smedinghoff 1

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

DigitalPersona Pro Enterprise

Entrust Managed Services PKI

Patron Verification and Security The Web OPAC and Beyond. Richard Goerwitz Carleton College

Understanding the Security & Privacy Rules associated with the HITECH and HIPAA Acts

Deriving a Trusted Mobile Identity from an Existing Credential

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Digital identity: Toward more convenient, more secure online authentication

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

2013 AWS Worldwide Public Sector Summit Washington, D.C.

DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010

Transcription:

Who s There? A Methodology for Selecting Authentication Credentials VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu

Who s There? Driving by your house Do you care? Probably not -- anyone can look 2

Who s There? Knocking at your door (on your property) Do you care? Probably so. What could happen if a person on your property is not who they say they are? 3

Who s There? Letting someone in Do you care? Very much so. What could happen if the wrong person enters your home? 4

Who s There? Key concepts Methodology Credential selection Implementation 5

Concepts Authentication helps prevent unauthorized access Identity authentication error - person using credential is not the one to whom it was issued Identity authentication error has consequences Negative consequences have impact 6

Concepts Credentials represent identity to online process Personal digital identity online representation of a real person s identity. Credentials + information about a person Personal digital identity has level of assurance (LOA) LOA - degree of confidence that a credential belongs to the person using it, and the person to whom the credential was issued is who they say they are Personal digital identity with appropriate LOA reduces likelihood of identity authentication error 7

Methodology for selecting credentials 1. What is the potential impact if the wrong person gains access to a resource via this application? 2. How does the impact map to a level of assurance in a person s digital identity? 3. What kind of credentials satisfy the LOA? (Multiple factors?) 4. How will you implement the digital credentials in the application? 5. How do you know the authentication method chosen achieves the desired level of assurance? 6. Reassess annually. 8

Methodology 1. What if the wrong person gains access? Types of consequences Inconvenience, distress, reputational damage Financial loss or liability Harm to university programs or public interests Unauthorized release of sensitive information Personal safety Civil, criminal, disciplinary violations 9

Methodology 1. What if the wrong person gains access? Impacts Low impacts cause inconvenience without lasting effects. Moderate impacts are more serious short term or limited but long-term. High impacts have severe adverse effects, resulting in serious long-term damage. Very high impacts are catastrophic or life threatening, with very serious, irreversible longterm effects. 10

Methodology 1. What if the wrong person gains access? Potential Impact Profile Potential Impact Profile Levels Consequences 1 2 3 4 5 Inconvenience, distress or damage to standing or Low Mod Mod High Very high reputation Financial loss or university liability Low Mod Mod High Very high Harm to university programs or public interests N/A Low Mod High Very high Unauthorized release of sensitive information N/A Low Mod High Very high Personal safety N/A N/A Low Mod Very high (or) High Civil or criminal violations N/A Low Mod High Very high 11

Methodology Example: Tree trimming in my yard Potential Impact Profile Potential Impact Profile Levels Consequences 1 2 3 4 5 Inconvenience, distress or damage to standing or Low Mod Mod High Very high reputation Financial loss or university liability Low Mod Mod High Very high Harm to university programs or public interests N/A Low Mod High Very high Unauthorized release of sensitive information N/A Low Mod High Very high Personal safety N/A N/A Low Mod Very high (or) High Civil or criminal violations N/A Low Mod High Very high 12

Methodology 2. How do you map the potential impact to a level of assurance in the person s digital identity? Use a standard like NIST 800-63. A given LOA is backed by trust in identity proofing process and in credential. 13

Methodology: Levels of assurance of personal digital identities LOA Identity assertion Identity proofing requirements Authentication factors Digital credential examples 0 No identity is asserted. None None No authentication is required. Site is open to public 1 Little or no confidence in the validity of the asserted identity Some identity information is acquired. Little or no verification is performed. Single-factor authentication with password Guest accounts 2 Some confidence that the asserted identity is valid Some identity information is acquired, with some level of verification. Single-factor authentication with password or biometric attribute PID and password; Active Directory ID and password; Oracle ID and password. Finger print reader. Hokie Passport card with photo 14 3 Moderate degree of confidence in validity of the asserted identity 4 High degree of confidence in the validity of the asserted identity 5 Very high degree of confidence in the validity of the asserted identity Matching of the collected identity information is strengthened by additional identity verification from a trusted authority. Identity proofing may be in-person or in some circumstances, remote. In-person identity proofing is required, including referencing a biometric attribute. In-person identity proofing is required, including recording a biometric attribute. A minimum of two authentication factors is required; i.e., something you know and (something you have or something you are) A minimum of two authentication factors is required, including a cryptographic key stored on a hardware token that does not allow the export of authentication keys. Three authentication factors are required, including a biometric attribute and a cryptographic key stored on a hardware token that meets certain technical specifications. Personal digital certificates; finger print readers requiring passwords or PINs, Personal digital certificate (PDC) on Aladdin etoken USB device protected with password Fingerprint reader with PIN along with physical key

Credential Selection 3. What credentials are available at your institution for each LOA? ID and password -- most common. Microsoft Active Directory account, e-mail account, Oracle IDs, NetID, guest ID Something you have USB devices/tokens, smart cards, digital certificates Biometrics Multiple credential factors increase LOA. Seek guidance from your Identity Management office or Security Office 15

Credential Implementation 4. How will you implement the digital credentials in the application? Application developers & integrators may need to learn new methods. What authentication methods are available at your institution? Kerberos NTLM NTLMv2 LDAPS Client SSL Central Authentication Service (CAS) Shibboleth 16

Credential Implementation 4. How will you implement the digital credentials in the application? Do you need single sign-on? Do you need Federated identity management? How will you know the LOA of the credential? 17

Implementation 5. Will the authentication method achieve the desired level of assurance? Security Review 18

Implementation 6. Reassess annually Applications change Risk vectors change Technology changes 19

References References National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/sp800-63- Rev1_Dec2008.pdf Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf University of Wisconsin, Madison, User Authentication and Levels of Assurance; http://www.cio.wisc.edu/security/initiatives/levels.aspx Virginia Tech, Standard for Use of Personal Digital Identities 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information