Published on

Three trends are changing the calculus of authentication: Increased use of modern identity proofing broader adoption of adaptive authentication, and local mobile biometrics.

Published in: Education, Technology


  1. 1. From Kerberos to FIDO: The Future of Authentication Mark Diodati @mark_diodati Thurs 13-07-11
  2. 2. The immutable calculus of authentication is changing
  3. 3. Modern identity proofing Adaptive authentication Local mobile biometrics
  4. 4. AuthenticationIdentityAssurance Un-Usability and Cost
  5. 5. Identity assurance
  6. 6. Identity Assurance • The goal of authentication • Level of confidence about the authenticating user • Required for a reliable identity infrastructure – Security policies rely upon identification of the user • Applications have different risk profiles and therefore different assurance requirements $5
  7. 7. Identity Assurance—Components • Three components build identity assurance – Primary authenticator – attributes including security, number of factors – Identity proofing – authentication processes to bind the user to the authenticator – Secondary methods • Used in conjunction with primary authenticator • Best example is adaptive authentication • Layering is essential
  8. 8. Primary Authenticator Assurance IdentityAssurance Password OTP Smart Card Primary Authenticator IdentityAssurance
  9. 9. Modern identity proofing
  10. 10. Identity Assurance—Identity Proofing Authentication Lifecycle TerminationElevated Access Changes Emergency Access Initialization
  11. 11. Identity Proofing Static Knowledge-BasedAuthentication (KBA) • Mom’s maiden name? • Easily guessed and administratively-known answers • Low proofing value • Known users Dynamic Knowledge-Based Authentication (KBA) • Intersection near your high school? Amount last paid for mortgage? • Medium proofing value • Unknown and known users Out-Of-Band (OOB) Proofing • Interaction via IVR telephone, SMS • High proofing value • Known users
  12. 12. Identity Proofing Static Knowledge-BasedAuthentication (KBA) • Notorious usability problems • Unsuitable for everything except low assurance scenarios • Many organizations have replaced static KBA with OOB • Regulatory pressure will limit its use in the future Dynamic Knowledge-Based Authentication (KBA) • Best for unknown users (e.g., payday loans, gift card and rewards programs) • Has a solid future in use cases where little is known about the user Out-Of-Band (OOB) Proofing • The way to go for known users (regardless of constituency) • Improves identity assurance • Represents the path forward
  13. 13. Modern ProofingIdentityAssurance Un-Usability and Cost
  14. 14. Importance of Identity Proofing Password OTP Smart Card Identity Proofing Primary Authenticator IdentityAssurance
  15. 15. Adaptive authentication
  16. 16. Adaptive Authentication Device ID • ____ • ____ • ____ IP Blacklist • Bill pay $349 • Bill pay $610 • EFT $2,000,000 Behavioral Biometrics Geolocation
  17. 17. Adaptive Authentication Products –Consumer authentication –Federation and SSO products –SIEM –Identity and access governance
  18. 18. Adaptive AuthenticationIdentityAssurance Un-Usability and Cost
  19. 19. Adaptive and ProofingIdentityAssurance Un-Usability and Cost
  20. 20. Adaptive Over Time • Successful authentication systems deliver SSO • They transition to an interoperable credential – Password or smart card->KDC->ticketgranting ticket – OTP or password->WAM policy server->HTTP cookie – Password->federation IDP->SAML – X.509->OIDC IDP/OAuthAS->access and ID tokens
  21. 21. Adaptive Over TimeIdentityAssurance Lifetime of credential
  22. 22. Adaptive Over TimeIdentityAssurance Lifetime of credential
  23. 23. Local mobile biometrics
  24. 24. Beloved (always) In possession (almost always) User-purchased (sometimes) The Smartphone
  25. 25. Portable Biometric Device Accelerometer movement Camera facial recognition Microphone voice The Mobile Biometric Device
  26. 26. FIDO—A Tale of Two Protocols • FIDO Unified AuthenticationFramework(UAF) – Local mobile biometrics – Initially proposed by Lenovo, Nok Nok, PayPal, others – Also supports non-biometric authentication • Universal Second Factor (U2F) – “Smart” smart card • Initially proposed by Google and Yubikey (first to partner)
  27. 27. FIDO: Local Mobile Biometrics • FIDO Unified AuthenticationFramework(UAF) – Replace PIN with biometrics for private key access • FIDO Alliance announcedin Feb 2013 – Backed by Lenovo, Nok Nok, PayPal, SecureKey, others – Part of the original FIDO development effort • Specification is still in process (unpublished) – Goal: to be the primary authenticator – Use cases focus on mobile devices
  28. 28. Local Mobile Biometrics—UAF F authenticator(s) (2)FIDOhandshake FIDO Client FFIDO Server device attestation F device key pair site-specific key pairs (1) user authentication to FIDO client Binding of user info and public key (3)Asymmetrcikeyauthn FIDO Attestation Service web site/RP ID Proofing
  29. 29. UAF—Transitioned F (2)FIDOhandshake FIDO client F OpenID Connect authorization server (1) user authentication to FIDO client (3)asymmetrickeyauthn OAuth resource server FIDO authentication module A mobile application (relying party) Binding of user info and public key (4)Tokeninformation (5)APIrequest/response ID A R A tokens
  30. 30. Local Mobile BiometricsIdentityAssurance Un-Usability and Cost
  31. 31. FIDO: Universal Second Factor
  32. 32. “Smart” Smart Card • FIDO Universal Second Factor (U2F) – Backed by Google – Moved into FIDO alliance in early 2013 • Beta started in early 2013 – Hardware partner: Yubico – Goal: to be the secondary authenticator
  33. 33. “Smart” Smart Card • FIDO Universal Second Factor (U2F) – Use cases focus on PCs, laptops • Hardware is USB or NFC • Not so – for software-based keystores – Chrome browser integration is key • Direct signing functions with the device – Overcomes two hurdles of traditional smart cards • Certificate management • Hardware device drivers, MS-CAPI/CNG
  34. 34. “Smart” Smart Card (U2F)web site/RP device key pair (per batch) site-specific key pairs (with Key Handles)activation button site authn service (activation required during enrollment and optional at runtime) U2F authn service (1)userpasswordauth (2)Challengeresponse,withKeyHandle User info, public key and Key Handle device attestation attestation service
  35. 35. U2F Transition Federation IDP primary authn service U2F authn service (1)userpasswordauth (2)Challengeresponse,withKeyHandle User info, public key and Key Handle (3)SAMLcredentials Federation SP (4) SAML credentials
  36. 36. UAF and U2F Commonality • Both aspire to raise identity assurance levels • Neither transitions to an interoperable token type (e.g., SAML, OAuth) • Both use a unique public key pair for each web site (RP) • Both an enable an RP to perform device attestation – UAF – unique key pair per device – U2F – unique public key per “batch” of hardware tokens • Both leverage distributed authentication – Neither requires an authentication authority – Good for scalability – The UAF service may need it for device registration and user enrollment
  37. 37. UAF and U2F Commonality • UAF and U2F mostly require browser interaction – Google is working on app-specific implementations • UAF more difficult - introduces integration issues with mobile applications – No defined way to interact with applications to provide SSO, particularly iOS
  38. 38. Potential UAF and U2F Integration • UAF and U2F leverage common NFC secure element – Improves identity assurance – PC, laptop: USB – Mobile: NFC • UAF FIDO client integrates more deeply with Google Chrome • U2F and UAF leverage a common device attestation service
  39. 39. Copy right ©2013 Ping Identity Corporation. All rights reserv ed.39 Copy right ©2013 Ping Identity Corporation. All rights reserv ed.39