• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content




Three trends are changing the calculus of authentication: Increased use of modern identity proofing broader adoption of adaptive authentication, and local mobile biometrics.

Three trends are changing the calculus of authentication: Increased use of modern identity proofing broader adoption of adaptive authentication, and local mobile biometrics.



Total Views
Views on SlideShare
Embed Views



1 Embed 25

https://twitter.com 25



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Authentication.Next Authentication.Next Presentation Transcript

    • From Kerberos to FIDO: The Future of Authentication Mark Diodati @mark_diodati mdiodati@pingidentity.com Thurs 13-07-11
    • The immutable calculus of authentication is changing
    • Modern identity proofing Adaptive authentication Local mobile biometrics
    • AuthenticationIdentityAssurance Un-Usability and Cost
    • Identity assurance
    • Identity Assurance • The goal of authentication • Level of confidence about the authenticating user • Required for a reliable identity infrastructure – Security policies rely upon identification of the user • Applications have different risk profiles and therefore different assurance requirements $5
    • Identity Assurance—Components • Three components build identity assurance – Primary authenticator – attributes including security, number of factors – Identity proofing – authentication processes to bind the user to the authenticator – Secondary methods • Used in conjunction with primary authenticator • Best example is adaptive authentication • Layering is essential
    • Primary Authenticator Assurance IdentityAssurance Password OTP Smart Card Primary Authenticator IdentityAssurance
    • Modern identity proofing
    • Identity Assurance—Identity Proofing Authentication Lifecycle TerminationElevated Access Changes Emergency Access Initialization
    • Identity Proofing Static Knowledge-BasedAuthentication (KBA) • Mom’s maiden name? • Easily guessed and administratively-known answers • Low proofing value • Known users Dynamic Knowledge-Based Authentication (KBA) • Intersection near your high school? Amount last paid for mortgage? • Medium proofing value • Unknown and known users Out-Of-Band (OOB) Proofing • Interaction via IVR telephone, SMS • High proofing value • Known users
    • Identity Proofing Static Knowledge-BasedAuthentication (KBA) • Notorious usability problems • Unsuitable for everything except low assurance scenarios • Many organizations have replaced static KBA with OOB • Regulatory pressure will limit its use in the future Dynamic Knowledge-Based Authentication (KBA) • Best for unknown users (e.g., payday loans, gift card and rewards programs) • Has a solid future in use cases where little is known about the user Out-Of-Band (OOB) Proofing • The way to go for known users (regardless of constituency) • Improves identity assurance • Represents the path forward
    • Modern ProofingIdentityAssurance Un-Usability and Cost
    • Importance of Identity Proofing Password OTP Smart Card Identity Proofing Primary Authenticator IdentityAssurance
    • Adaptive authentication
    • Adaptive Authentication Device ID • ____ • ____ • ____ IP Blacklist • Bill pay $349 • Bill pay $610 • EFT $2,000,000 Behavioral Biometrics Geolocation
    • Adaptive Authentication Products –Consumer authentication –Federation and SSO products –SIEM –Identity and access governance
    • Adaptive AuthenticationIdentityAssurance Un-Usability and Cost
    • Adaptive and ProofingIdentityAssurance Un-Usability and Cost
    • Adaptive Over Time • Successful authentication systems deliver SSO • They transition to an interoperable credential – Password or smart card->KDC->ticketgranting ticket – OTP or password->WAM policy server->HTTP cookie – Password->federation IDP->SAML – X.509->OIDC IDP/OAuthAS->access and ID tokens
    • Adaptive Over TimeIdentityAssurance Lifetime of credential
    • Adaptive Over TimeIdentityAssurance Lifetime of credential
    • Local mobile biometrics
    • Beloved (always) In possession (almost always) User-purchased (sometimes) The Smartphone
    • Portable Biometric Device Accelerometer movement Camera facial recognition Microphone voice The Mobile Biometric Device
    • FIDO—A Tale of Two Protocols • FIDO Unified AuthenticationFramework(UAF) – Local mobile biometrics – Initially proposed by Lenovo, Nok Nok, PayPal, others – Also supports non-biometric authentication • Universal Second Factor (U2F) – “Smart” smart card • Initially proposed by Google and Yubikey (first to partner)
    • FIDO: Local Mobile Biometrics • FIDO Unified AuthenticationFramework(UAF) – Replace PIN with biometrics for private key access • FIDO Alliance announcedin Feb 2013 – Backed by Lenovo, Nok Nok, PayPal, SecureKey, others – Part of the original FIDO development effort • Specification is still in process (unpublished) – Goal: to be the primary authenticator – Use cases focus on mobile devices
    • Local Mobile Biometrics—UAF F authenticator(s) (2)FIDOhandshake FIDO Client FFIDO Server device attestation F device key pair site-specific key pairs (1) user authentication to FIDO client Binding of user info and public key (3)Asymmetrcikeyauthn FIDO Attestation Service web site/RP ID Proofing
    • UAF—Transitioned F (2)FIDOhandshake FIDO client F OpenID Connect authorization server (1) user authentication to FIDO client (3)asymmetrickeyauthn OAuth resource server FIDO authentication module A mobile application (relying party) Binding of user info and public key (4)Tokeninformation (5)APIrequest/response ID A R A tokens
    • Local Mobile BiometricsIdentityAssurance Un-Usability and Cost
    • FIDO: Universal Second Factor
    • “Smart” Smart Card • FIDO Universal Second Factor (U2F) – Backed by Google – Moved into FIDO alliance in early 2013 • Beta started in early 2013 – Hardware partner: Yubico – Goal: to be the secondary authenticator
    • “Smart” Smart Card • FIDO Universal Second Factor (U2F) – Use cases focus on PCs, laptops • Hardware is USB or NFC • Not so – for software-based keystores – Chrome browser integration is key • Direct signing functions with the device – Overcomes two hurdles of traditional smart cards • Certificate management • Hardware device drivers, MS-CAPI/CNG
    • “Smart” Smart Card (U2F)web site/RP device key pair (per batch) site-specific key pairs (with Key Handles)activation button site authn service (activation required during enrollment and optional at runtime) U2F authn service (1)userpasswordauth (2)Challengeresponse,withKeyHandle User info, public key and Key Handle device attestation attestation service
    • U2F Transition Federation IDP primary authn service U2F authn service (1)userpasswordauth (2)Challengeresponse,withKeyHandle User info, public key and Key Handle (3)SAMLcredentials Federation SP (4) SAML credentials
    • UAF and U2F Commonality • Both aspire to raise identity assurance levels • Neither transitions to an interoperable token type (e.g., SAML, OAuth) • Both use a unique public key pair for each web site (RP) • Both an enable an RP to perform device attestation – UAF – unique key pair per device – U2F – unique public key per “batch” of hardware tokens • Both leverage distributed authentication – Neither requires an authentication authority – Good for scalability – The UAF service may need it for device registration and user enrollment
    • UAF and U2F Commonality • UAF and U2F mostly require browser interaction – Google is working on app-specific implementations • UAF more difficult - introduces integration issues with mobile applications – No defined way to interact with applications to provide SSO, particularly iOS
    • Potential UAF and U2F Integration • UAF and U2F leverage common NFC secure element – Improves identity assurance – PC, laptop: USB – Mobile: NFC • UAF FIDO client integrates more deeply with Google Chrome • U2F and UAF leverage a common device attestation service
    • Copy right ©2013 Ping Identity Corporation. All rights reserv ed.39 Copy right ©2013 Ping Identity Corporation. All rights reserv ed.39