Your SlideShare is downloading. ×
0
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CIS14: Knowing vs. Asking: Innovation in User Recognition

116

Published on

Pam Dingle, Ping Identity …

Pam Dingle, Ping Identity

Walk-through of simple changes in approach—away from the traditional stateless authentication model—that can have radical effect on what a user might be asked to do, and how they are asked to do it, with demonstration of recommended methods.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
116
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. KNOWING VS ASKING INNOVATION IN USER RECOGNITION Pamela Dingle @pamelarosiedee Office of the CTO, Ping Identity
  • 2. day one
  • 3. day two
  • 4. day five-hundred eighty five
  • 5. State of the Industry
  • 6. Compartmentalization
  • 7. https://www.flickr.com/photos/bensonkua/ 2754312951
  • 8. TheUSArmyhttps://flic.kr/p/bExfoR
  • 9. LeoReynoldshttps://flic.kr/p/nfxqQG
  • 10. Ginnyhttps://flic.kr/p/5V9Viy
  • 11. https://www.flickr.com/photos/bensonkua/ 2754312951/in/photostream/
  • 12. TheUSArmyhttps://flic.kr/p/bExfoR
  • 13. IDP Today: Stranger Flow RP
  • 14. We need one more representation
  • 15. Our Lexicon must grow to Encompass Hints •  What is a hint? – Statement based on probability but lacking authority – Multiple evolutions evolving into the concept of a Hint •  Passive Factors / Real-time analytics •  Cached previous data •  Account Chooser
  • 16. Security Posture should never be OSFA again •  It isn’t 1995 anymore •  The device to user ratio has inverted •  In the 1st world at least, 5-year olds have iPads •  You can’t abandon the 1995 flow but you can choose who to offer it to
  • 17. IDP Tomorrow: Friendly Flow RP
  • 18. That must be dangerous! Because, Security
  • 19. XaviTalledahttps://flic.kr/p/997LWwv
  • 20. Session bound with Context allows us to help “friendlies” But what tooling allows contextual collaboration across domains?
  • 21. Two Flow Elements •  Continuation Flow – Is there some context that can forecast an identifier and/or idp? •  Bootstrap flow – No continuation exists – Is there a way to introduce the user & idp to the flow?
  • 22. Hint Spectrum Login Hint Refresh Token Previously Issued IDToken Shared Signal Expired Token & context assertion embedded in signed AuthnRequest
  • 23. Login Hint •  Exactly the information the user would have to type themselves anyway – User Identifier – IDP •  Equivalent to “Remember me” (but crossing domains)
  • 24. How can an RP derive a Login Hint? •  Continuation Flow –  Check the expired session cookie –  Dig up the previous id_token •  Bootstrapping Flow –  Ask for it (NASCAR, OpenID) (ie – stranger flow) –  Query a common authority •  CDC,Account Chooser Dave  Carter  h*ps://www.flickr.com/photos/david_s_carter/3041065755  
  • 25. Bootstrapping == Discovery?
  • 26. Choosers FTW •  d
  • 27. Bootstrapping HTTP/1.1 302 Found! Location: https://server.example.com/authorize! ! ?response_type=code! &scope=openid%20profile%20email! &client_id=s6BhdRkqt3! &state=af0ifjsldkj! &redirect_uri=https%3A%2F%2Fclnt.example.org%2Fcb! &login_hint=patty%40integralcurve.com!
  • 28. Continuation {! "iss": "s6BhdRkqt3",! "aud": "https://server.example.com",! "response_type": "code id_token",! "client_id": "s6BhdRkqt3",! "redirect_uri": "https://client.example.org/cb",! "scope": "openid",! "state": "af0ifjsldkj",! "nonce": "n-0S6_WzA2Mj",! "max_age": 86400,! "id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc! K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVV k4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"! }!
  • 29. An attacker who emulates the login hint only gets this far
  • 30. https://www.flickr.com/photos/bensonkua/ 2754312951/in/photostream/
  • 31. Thanks! @pamelarosiedee http://pingidentity.com http://eternallyoptimistic.com

×