Web Authentication
Strategies
Virginia Security Summit
Identity Management
April 27, 2009
Brian Kelly
Vice President
TrustBearer Labs
a partner company of VeriSign, Inc.

Simplify
Techniques and technology that can be
leveraged to make managing user accounts
easier and more secure
SAML
2

Know your users
Employees Citizens
• 1,000+ • 100,000+
• Identity vetted • Internet-based identity
• Bulk-provisioning • On-the-fly-provisioning
(with official email) (with Internet email)
• IT staff to handle • Automated support
support requests requests
3

Identity vetting
• Employee identities are vetted in advance,
in-person
• Citizens may need vetting, depending on
services accessed, but in-person vetting is
rarely available
4

Account Provisioning
• Employees are typically assigned an email
address, network account, and temporary
password after hire.
‣ Then (some) applications are provisioned
• Citizens typically request an account after
proving their identity (e.g. driver’s license
number & date of birth)
‣ Then username & password are created,
and (one) application is provisioned.
5

Support
• Help desk staff to support employee
requests (e.g. password reset, new
application access)
• Citizen requests may be of much higher
volume, which require more automated
support options
6

Making it easier
7

Employee Web Apps
• Use a single SAML Identity Provider
Make web apps SAML consumers
• Provision all apps using SAML user IDs
• Employee authenticates in once place and
gets access to all provisioned applications
• Account support is centralized
• Can still use OTP, smart card, or password
(more on that later)
8

How does SAML work?
verifies signed
assertions
User is logged-in
creates signed
App 1 to web app
Login Web Page
assertions
user
SAML ID App 2
user
Provider
user authenticates users App 3
Other SAML Service Providers
LDAP (consumers)
Auth.
9

Citizen Web Apps
• Make web apps OpenID Relying Parties and
stop managing usernames & passwords
• Use existing ID vetting process or
outsource
• Add an Extended Validation SSL certificate
• Citizen gets to reuse existing credentials
• Can still use OTP, smart card, or password
• Account support is partially outsourced
10

How does OpenID work?
Citizen Web App
Web app Citizen is logged-in
Page Login
verifies previously to web app
user enrolled OpenID
Citizen
user Web App
OpenID
user Relying Party
(consumer)
Citizen identity vetting could
take place during OpenID
enrollment stage.
User authenticates to IDP and
enables account to be used
with government site
11

SAML
• Consumer focused
• Enterprise focused
• On-the-fly-provisioning
• Bulk-provisioning
(on-the-fly supported)
• Many identity providers
• Identity Provider is
available online for
internal to
consumers to choose
organization (typically)
• Mostly open-source,
• Commercial and OS
and COTS services
products available
12

What about
authentication options?
13

End-point authentication is
agnostic of SSO standard
All can be supported by SAML or OpenID
• username / password
• one time password (OTP) tokens
• smart cards (e.g. PIV, CAC, FRAC)
• client digital certificates
• information cards
• biometrics
• image verification
14

Identity Provider decides end-
point authentication options
• Google,Yahoo, AOL: password
• myOpenID: password, phone verify, client certificate, info card
• VeriSign PIP: OTP, client certificate, info card, EV SSL
• TrustBearer: smart cards (CAC, PIV, etc.), biometrics
• Vidoop: Image recognition (CAPTCHA)
The IdP can specify authentication methods used
to the RP, which can even request preferences.
15

What authentication
method to choose?
16

Required Protections for OMB’s
E-Auth Assurance Levels
Level 1 Level 2 Level 3 Level 4
Protect against
✓ ✓ ✓ ✓
On-line guessing
Replay ✓ ✓ ✓ ✓
Eavesdropper ✓ ✓ ✓
Verifier impersonation ✓ ✓ ✓
Man-in-the-middle ✓ ✓
Session hijacking ✓
From NIST SP 800-63 p. 39
17

Token Types Allowed At Each
Assurance Level
Level 1 Level 2 Level 3 Level 4
Token Type
✓ ✓ ✓ ✓
Hard Crypto Token
✓ ✓ ✓
One-time password device
✓ ✓ ✓
Soft crypto token
✓ ✓
Passwords & PINs
From NIST SP 800-63 p. 39
18

OpenID Provider Authentication
Policy Extension (PAPE)
• Provides a way for Relying Parties to
request / view authentication policies of
Identity Provider
• Policies: Phishing-resistant, Multi-Factor, and
Physical Multi-Factor
• Preferred authentication levels
e.g. NIST: 1, 2, 3, 4
SAML also allows authentication attributes
to be added to a message
19

In summary
• You have better options than managing
usernames & passwords for every web app
• SAML has strong enterprise support
• OpenID is convenient for Internet users
• There are many end-point authentication
options for each SSO option.
• Perform a risk-based analysis on your app
to choose an authentication type
20

Thank you
http://trustbearer.com
http://www.verisign.com/authentication/
Brian Kelly
brian.kelly@trustbearer.com
twitter.com/TrustBearer
Vice President
TrustBearer Labs
a partner company of VeriSign, Inc.