CIS14: Knowing vs. Asking: Innovation in User Recognition

275 views

Published on

Pam Dingle, Ping Identity

Walk-through of simple changes in approach—away from the traditional stateless authentication model—that can have radical effect on what a user might be asked to do, and how they are asked to do it, with demonstration of recommended methods.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
275
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS14: Knowing vs. Asking: Innovation in User Recognition

  1. 1. KNOWING VS ASKING INNOVATION IN USER RECOGNITION Pamela Dingle @pamelarosiedee Office of the CTO, Ping Identity
  2. 2. day one
  3. 3. day two
  4. 4. day five-hundred eighty five
  5. 5. State of the Industry
  6. 6. Compartmentalization
  7. 7. https://www.flickr.com/photos/bensonkua/ 2754312951
  8. 8. TheUSArmyhttps://flic.kr/p/bExfoR
  9. 9. LeoReynoldshttps://flic.kr/p/nfxqQG
  10. 10. Ginnyhttps://flic.kr/p/5V9Viy
  11. 11. https://www.flickr.com/photos/bensonkua/ 2754312951/in/photostream/
  12. 12. TheUSArmyhttps://flic.kr/p/bExfoR
  13. 13. IDP Today: Stranger Flow RP
  14. 14. We need one more representation
  15. 15. Our Lexicon must grow to Encompass Hints •  What is a hint? – Statement based on probability but lacking authority – Multiple evolutions evolving into the concept of a Hint •  Passive Factors / Real-time analytics •  Cached previous data •  Account Chooser
  16. 16. Security Posture should never be OSFA again •  It isn’t 1995 anymore •  The device to user ratio has inverted •  In the 1st world at least, 5-year olds have iPads •  You can’t abandon the 1995 flow but you can choose who to offer it to
  17. 17. IDP Tomorrow: Friendly Flow RP
  18. 18. That must be dangerous! Because, Security
  19. 19. XaviTalledahttps://flic.kr/p/997LWwv
  20. 20. Session bound with Context allows us to help “friendlies” But what tooling allows contextual collaboration across domains?
  21. 21. Two Flow Elements •  Continuation Flow – Is there some context that can forecast an identifier and/or idp? •  Bootstrap flow – No continuation exists – Is there a way to introduce the user & idp to the flow?
  22. 22. Hint Spectrum Login Hint Refresh Token Previously Issued IDToken Shared Signal Expired Token & context assertion embedded in signed AuthnRequest
  23. 23. Login Hint •  Exactly the information the user would have to type themselves anyway – User Identifier – IDP •  Equivalent to “Remember me” (but crossing domains)
  24. 24. How can an RP derive a Login Hint? •  Continuation Flow –  Check the expired session cookie –  Dig up the previous id_token •  Bootstrapping Flow –  Ask for it (NASCAR, OpenID) (ie – stranger flow) –  Query a common authority •  CDC,Account Chooser Dave  Carter  h*ps://www.flickr.com/photos/david_s_carter/3041065755  
  25. 25. Bootstrapping == Discovery?
  26. 26. Choosers FTW •  d
  27. 27. Bootstrapping HTTP/1.1 302 Found! Location: https://server.example.com/authorize! ! ?response_type=code! &scope=openid%20profile%20email! &client_id=s6BhdRkqt3! &state=af0ifjsldkj! &redirect_uri=https%3A%2F%2Fclnt.example.org%2Fcb! &login_hint=patty%40integralcurve.com!
  28. 28. Continuation {! "iss": "s6BhdRkqt3",! "aud": "https://server.example.com",! "response_type": "code id_token",! "client_id": "s6BhdRkqt3",! "redirect_uri": "https://client.example.org/cb",! "scope": "openid",! "state": "af0ifjsldkj",! "nonce": "n-0S6_WzA2Mj",! "max_age": 86400,! "id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc! K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVV k4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"! }!
  29. 29. An attacker who emulates the login hint only gets this far
  30. 30. https://www.flickr.com/photos/bensonkua/ 2754312951/in/photostream/
  31. 31. Thanks! @pamelarosiedee http://pingidentity.com http://eternallyoptimistic.com

×