SlideShare a Scribd company logo

Identiverse 2019 Security Key Lifecycle

Download as PPTX, PDF
D
derekhanson13

In April 2019 WebAuthn was officially released to the world as a new standard for authentication. WebAuthn enables a rich set of authentication solutions to be built, but knowing how to enable these solutions, is a major key in building a future where we no longer rely on passwords or phishable technologies. This session will dive into the journey of adopting WebAuthn, the components in the architecture of this modern authentication solution and how this new protocol touches not only every stage of an account lifecycle but creates a new phase that must be supported. This session will not only help you understand how to deploy authentication solutions internally but also how to build great solutions for your customers.

Technology
1 of 35
Security Key Lifecycle Identiverse 2019 @derekhanson
Authentication Nirvana
Authentication Nirvana 3
A place where no one has to think about authentication A place where everyone is able to access their applications and data using the devices that they carry A place where the simplest authentication method is also secure enough to use on a day to day basis A place where stories are told of the ancient horror of phishing Authentication Nirvana 4
Let’s make sure we are all on the same page….. Key Concepts
6 Account Lifecycle - Today
What is Phishing? 7 1 Fake Login PageVictim Fake Successful Login …seconds later 5 Web Services Authentication 3 Attacker Credentials 2 Successful Login by Attacker 4
What is FIDO? 8
If we don’t rely on secrets + something you have we have to Have a device that is unlocked by a secret or a biometric User Verification in a Post Password World 9 MFA Combinations You are You have You are You know You have You are You have You know You know You are You know You have
User Verification is not Centralized Biometrics 10
What are we trusting? 11
Security Keys as Root of Trust 12 Anchoring credentials in a root of trust is the cornerstone for building a secure identity model
13
Is Device Registration Part of Identity Processes? 14
The real world tales of building authentication solutions The Journey to Authentication Nirvana
Major Milestones 16
Architecture, Processes and Components
Architecture Components 18
1. Account Registration 2. Account Authentication 3. Device Registration 4. Account & Device Management 5. Account Recovery 6. Account Deletion Identity Processes 19
● Usernames ● Passwords ● OTP, SMS, Push Apps ● Security Keys ● Platform Biometrics User Identification and Authentication Tools 20
Putting all this together Digging into these Milestones
1. Creating a User Profile Description: The application users are able to create accounts User Benefits: The user is able to create a profile and store information Security Story: Users are logging in with only a password. Not a good state to be in Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App 22
1. Creating a User Profile 23 Affected Stages of the Account Lifecycle Account Registration Authentication Account Management Account Recovery Account Removal ● Enable Users to register account and enable passwords ● Enable Users to setup email address for recovery ● User types in user name and password ● Prompt users to verify recovery methods ● Enable users to change their password ● Enable users to change their email address ● Enable users to verify email address ● Enable users to recover access to account by sending email for password reset ● Enable users to request the deletion of their account
2. Enabling a Second Factor Description: The application users now can enroll with second factor User Benefits: The user is have a second factor authenticator for protecting their accounts Security Story: Users are no longer just logging in with only a password, better but still phishable Required Components: ● Self-Service Account Registration App * ● Self-Service Account Management App ● Self-Service Account Recovery App * ● Account Datastore * ● Administrator Account Registration App * ● Administrator Account Management App * 24
2. Enabling a Second Factor 25 Affected Stages of the Account Lifecycle Account Registration Authentication Account Management Account Recovery Account Removal ● Enable Users to register OTP credential during registration ● When authenticating allow the user to authenticate with second factor ● Enable users to manage OTP devices on the account ● Enable users to enroll more than one OTP device on their account ● Enable users to require MFA on the account ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
Description: The application users now can use FIDO2WebAuthn as a second factor User Benefits: The user has a second factor authenticator that is phishing resistant for protecting their accounts Security Story: Users now have a phishing resistant authenticator and we are no longer just relying on phishable credentials Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● WebAuthn Capable Identity Provider * ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App 26 3. Phishing Resistant Second Factor
3. Phishing Resistant Second Factor 27 Affected Stages of the Account Lifecycle Account Registration Authentication Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● When authenticating allow the user to authenticate with Security Key ● Enable users to manage Security Keys on the account ● Enable users to enroll more than one Security Key on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
Description: The application users now can use FIDO2WebAuthn to login without a password User Benefits: The user can use the authenticator on their device without needing their password Security Story: Users now have a method to securely bootstrap the credential and the biometrics on their compute devices Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Device Registration App * ● Device Management App * ● WebAuthn Capable Identity Provider ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App 28 4. Platform Passwordless Authentication
4. Platform Passwordless Authentication 29 Affected Stages of the Account Lifecycle Account Registration Authentication Device Enrollment Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● Enable Users to enroll a platform authenticator during registration ● Allow the user to authenticate with Security Key ● Allow the user to authenticate with the platform authenticator ● Prompt the user to enroll a platform authenticator as appropriate ● Enable users to manage Security Keys on the account ● Enable users to manage devices on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
5. Passwordless Security Keys Description: The application users now can use Security Keys instead of a username & password experience User Benefits: The user does not need to type and manage a password Security Story: Users now has a method to login without a password on a Security Key 30 Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Device Registration App ● Device Management App ● WebAuthn Capable Identity Provider ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App
5. Passwordless Security Keys 31 Affected Stages of the Account Lifecycle Account Registration Authentication Device Enrollment Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● Enable Users to enroll a platform authenticator during registration ● Allow the user to authenticate with Security Key ● Allow the user to authenticate with the platform authenticator ● Prompt the user to enroll a platform authenticator as appropriate ● Enable users to manage Security Keys on the account ● Enable users to manage devices on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
6. Passwordless Device Registration Description: The application users now can use Passwordless Security Keys for device registration. This is the final step for users to remove passwords User Benefits: The user has all the capabilities to remove usage of the password Security Story: Users now has a method to login without a password on a Security Key 32 Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Device Registration App ● Device Management App ● WebAuthn Capable Identity Provider ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App
6. Passwordless Device Registration 33 Affected Stages of the Account Lifecycle Account Registration Authentication Device Enrollment Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● Enable Users to enroll a platform authenticator during registration ● Allow the user to authenticate with Security Key ● Allow the user to authenticate with the platform authenticator ● Prompt the user to enroll a platform authenticator as appropriate ● Enable users to manage Security Keys on the account ● Enable users to manage devices on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
Key Lessons: ● Migrating from users from a password based authentication to Passwordless requires solving the bootstrapping problem ● Security Keys are purpose built external authenticators for bootstrapping ● We can build great apps that leverage Security Keys and platform authenticators to build excellent and secure deployments today Looking at the journey ahead 34
For Additional Information https://developers.yubico.com/ https://demo.yubico.com https://webauthntest.azurewebsites.net 35 Derek Hanson Email derek@yubico.com linkedin.com/in/derekthanson @derekhanson

Recommended

2011 5-privacy
2011 5-privacy2011 5-privacy
2011 5-privacycikgushaharizan
 
Bg24375379
Bg24375379Bg24375379
Bg24375379IJERA Editor
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorizationSarwar Jahan M
 
AusCERT 2018
AusCERT 2018AusCERT 2018
AusCERT 2018Sarwar Jahan M
 
Bank account tracking system
Bank account tracking systemBank account tracking system
Bank account tracking systemMaulesh Desai
 
Step up authentication
Step up authenticationStep up authentication
Step up authenticationJack Forbes
 
Synopsis for Gpay
Synopsis for GpaySynopsis for Gpay
Synopsis for GpaySiddharthKumar220
 

Recommended

2011 5-privacy
2011 5-privacy2011 5-privacy
2011 5-privacycikgushaharizan
 
Bg24375379
Bg24375379Bg24375379
Bg24375379IJERA Editor
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorizationSarwar Jahan M
 
AusCERT 2018
AusCERT 2018AusCERT 2018
AusCERT 2018Sarwar Jahan M
 
Bank account tracking system
Bank account tracking systemBank account tracking system
Bank account tracking systemMaulesh Desai
 
Step up authentication
Step up authenticationStep up authentication
Step up authenticationJack Forbes
 
Synopsis for Gpay
Synopsis for GpaySynopsis for Gpay
Synopsis for GpaySiddharthKumar220
 
Event management system
Event management systemEvent management system
Event management systemNishaChaudhari25
 
Universal login
Universal loginUniversal login
Universal loginZx MYS
 
IRJET- Secured Merchant Payment using Biometric Transaction
IRJET- Secured Merchant Payment using Biometric TransactionIRJET- Secured Merchant Payment using Biometric Transaction
IRJET- Secured Merchant Payment using Biometric TransactionIRJET Journal
 
OpenID Connect
OpenID ConnectOpenID Connect
OpenID ConnectFarasath Ahamed
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...Nur Fatihah Mat Ali
 
secure and authentication using personal device ppt
secure and authentication using personal device pptsecure and authentication using personal device ppt
secure and authentication using personal device pptShiva Shiva
 
Presentation 2 fyp1 (040561)
Presentation 2 fyp1 (040561)Presentation 2 fyp1 (040561)
Presentation 2 fyp1 (040561)nurul farhana binti basar
 
Verified Cash App Account uk, us, ca, any country
Verified Cash App Account uk, us, ca, any countryVerified Cash App Account uk, us, ca, any country
Verified Cash App Account uk, us, ca, any countryegerkkcd
 
Multi Banking System using Web Services
Multi Banking System using Web ServicesMulti Banking System using Web Services
Multi Banking System using Web ServicesRSIS International
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSJournal For Research
 
Use-Cases / Wireframes
Use-Cases / WireframesUse-Cases / Wireframes
Use-Cases / WireframesJaime Brown
 
encryption ppt
encryption pptencryption ppt
encryption pptShiva Shiva
 
Identity Management
Identity ManagementIdentity Management
Identity ManagementVenkatesh Jambulingam
 
Advanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networksAdvanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networkseSAT Journals
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT
 
Bank management system
Bank management systemBank management system
Bank management systemsumanadas37
 
Hashtag Banking
Hashtag BankingHashtag Banking
Hashtag BankingIRJET Journal
 
Unified Payment Interface (UPI)
Unified Payment Interface (UPI)Unified Payment Interface (UPI)
Unified Payment Interface (UPI)Ravindra Dastikop
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_appNuhil Mehdy
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

More Related Content

Similar to Identiverse 2019 Security Key Lifecycle

Universal login
Universal loginUniversal login
Universal loginZx MYS
 
IRJET- Secured Merchant Payment using Biometric Transaction
IRJET- Secured Merchant Payment using Biometric TransactionIRJET- Secured Merchant Payment using Biometric Transaction
IRJET- Secured Merchant Payment using Biometric TransactionIRJET Journal
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...Nur Fatihah Mat Ali
 
secure and authentication using personal device ppt
secure and authentication using personal device pptsecure and authentication using personal device ppt
secure and authentication using personal device pptShiva Shiva
 
Verified Cash App Account uk, us, ca, any country
Verified Cash App Account uk, us, ca, any countryVerified Cash App Account uk, us, ca, any country
Verified Cash App Account uk, us, ca, any countryegerkkcd
 
Multi Banking System using Web Services
Multi Banking System using Web ServicesMulti Banking System using Web Services
Multi Banking System using Web ServicesRSIS International
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSJournal For Research
 
Use-Cases / Wireframes
Use-Cases / WireframesUse-Cases / Wireframes
Use-Cases / WireframesJaime Brown
 
Advanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networksAdvanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networkseSAT Journals
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT
 
Bank management system
Bank management systemBank management system
Bank management systemsumanadas37
 
Unified Payment Interface (UPI)
Unified Payment Interface (UPI)Unified Payment Interface (UPI)
Unified Payment Interface (UPI)Ravindra Dastikop
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_appNuhil Mehdy
 

Similar to Identiverse 2019 Security Key Lifecycle (20)

Event management system
Event management systemEvent management system
Event management system
 
Universal login
Universal loginUniversal login
Universal login
 
IRJET- Secured Merchant Payment using Biometric Transaction
IRJET- Secured Merchant Payment using Biometric TransactionIRJET- Secured Merchant Payment using Biometric Transaction
IRJET- Secured Merchant Payment using Biometric Transaction
 
OpenID Connect
OpenID ConnectOpenID Connect
OpenID Connect
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
 
secure and authentication using personal device ppt
secure and authentication using personal device pptsecure and authentication using personal device ppt
secure and authentication using personal device ppt
 
Presentation 2 fyp1 (040561)
Presentation 2 fyp1 (040561)Presentation 2 fyp1 (040561)
Presentation 2 fyp1 (040561)
 
Verified Cash App Account uk, us, ca, any country
Verified Cash App Account uk, us, ca, any countryVerified Cash App Account uk, us, ca, any country
Verified Cash App Account uk, us, ca, any country
 
Multi Banking System using Web Services
Multi Banking System using Web ServicesMulti Banking System using Web Services
Multi Banking System using Web Services
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
 
Use-Cases / Wireframes
Use-Cases / WireframesUse-Cases / Wireframes
Use-Cases / Wireframes
 
encryption ppt
encryption pptencryption ppt
encryption ppt
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Advanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networksAdvanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networks
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
 
Bank management system
Bank management systemBank management system
Bank management system
 
Hashtag Banking
Hashtag BankingHashtag Banking
Hashtag Banking
 
Unified Payment Interface (UPI)
Unified Payment Interface (UPI)Unified Payment Interface (UPI)
Unified Payment Interface (UPI)
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_app
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Identiverse 2019 Security Key Lifecycle

  • 4. A place where no one has to think about authentication A place where everyone is able to access their applications and data using the devices that they carry A place where the simplest authentication method is also secure enough to use on a day to day basis A place where stories are told of the ancient horror of phishing Authentication Nirvana 4
  • 5. Let’s make sure we are all on the same page….. Key Concepts
  • 7. What is Phishing? 7 1 Fake Login PageVictim Fake Successful Login …seconds later 5 Web Services Authentication 3 Attacker Credentials 2 Successful Login by Attacker 4
  • 9. If we don’t rely on secrets + something you have we have to Have a device that is unlocked by a secret or a biometric User Verification in a Post Password World 9 MFA Combinations You are You have You are You know You have You are You have You know You know You are You know You have
  • 10. User Verification is not Centralized Biometrics 10
  • 11. What are we trusting? 11
  • 12. Security Keys as Root of Trust 12 Anchoring credentials in a root of trust is the cornerstone for building a secure identity model
  • 13. 13
  • 14. Is Device Registration Part of Identity Processes? 14
  • 15. The real world tales of building authentication solutions The Journey to Authentication Nirvana
  • 19. 1. Account Registration 2. Account Authentication 3. Device Registration 4. Account & Device Management 5. Account Recovery 6. Account Deletion Identity Processes 19
  • 20. ● Usernames ● Passwords ● OTP, SMS, Push Apps ● Security Keys ● Platform Biometrics User Identification and Authentication Tools 20
  • 21. Putting all this together Digging into these Milestones
  • 22. 1. Creating a User Profile Description: The application users are able to create accounts User Benefits: The user is able to create a profile and store information Security Story: Users are logging in with only a password. Not a good state to be in Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App 22
  • 23. 1. Creating a User Profile 23 Affected Stages of the Account Lifecycle Account Registration Authentication Account Management Account Recovery Account Removal ● Enable Users to register account and enable passwords ● Enable Users to setup email address for recovery ● User types in user name and password ● Prompt users to verify recovery methods ● Enable users to change their password ● Enable users to change their email address ● Enable users to verify email address ● Enable users to recover access to account by sending email for password reset ● Enable users to request the deletion of their account
  • 24. 2. Enabling a Second Factor Description: The application users now can enroll with second factor User Benefits: The user is have a second factor authenticator for protecting their accounts Security Story: Users are no longer just logging in with only a password, better but still phishable Required Components: ● Self-Service Account Registration App * ● Self-Service Account Management App ● Self-Service Account Recovery App * ● Account Datastore * ● Administrator Account Registration App * ● Administrator Account Management App * 24
  • 25. 2. Enabling a Second Factor 25 Affected Stages of the Account Lifecycle Account Registration Authentication Account Management Account Recovery Account Removal ● Enable Users to register OTP credential during registration ● When authenticating allow the user to authenticate with second factor ● Enable users to manage OTP devices on the account ● Enable users to enroll more than one OTP device on their account ● Enable users to require MFA on the account ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
  • 26. Description: The application users now can use FIDO2WebAuthn as a second factor User Benefits: The user has a second factor authenticator that is phishing resistant for protecting their accounts Security Story: Users now have a phishing resistant authenticator and we are no longer just relying on phishable credentials Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● WebAuthn Capable Identity Provider * ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App 26 3. Phishing Resistant Second Factor
  • 27. 3. Phishing Resistant Second Factor 27 Affected Stages of the Account Lifecycle Account Registration Authentication Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● When authenticating allow the user to authenticate with Security Key ● Enable users to manage Security Keys on the account ● Enable users to enroll more than one Security Key on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
  • 28. Description: The application users now can use FIDO2WebAuthn to login without a password User Benefits: The user can use the authenticator on their device without needing their password Security Story: Users now have a method to securely bootstrap the credential and the biometrics on their compute devices Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Device Registration App * ● Device Management App * ● WebAuthn Capable Identity Provider ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App 28 4. Platform Passwordless Authentication
  • 29. 4. Platform Passwordless Authentication 29 Affected Stages of the Account Lifecycle Account Registration Authentication Device Enrollment Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● Enable Users to enroll a platform authenticator during registration ● Allow the user to authenticate with Security Key ● Allow the user to authenticate with the platform authenticator ● Prompt the user to enroll a platform authenticator as appropriate ● Enable users to manage Security Keys on the account ● Enable users to manage devices on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
  • 30. 5. Passwordless Security Keys Description: The application users now can use Security Keys instead of a username & password experience User Benefits: The user does not need to type and manage a password Security Story: Users now has a method to login without a password on a Security Key 30 Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Device Registration App ● Device Management App ● WebAuthn Capable Identity Provider ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App
  • 31. 5. Passwordless Security Keys 31 Affected Stages of the Account Lifecycle Account Registration Authentication Device Enrollment Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● Enable Users to enroll a platform authenticator during registration ● Allow the user to authenticate with Security Key ● Allow the user to authenticate with the platform authenticator ● Prompt the user to enroll a platform authenticator as appropriate ● Enable users to manage Security Keys on the account ● Enable users to manage devices on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
  • 32. 6. Passwordless Device Registration Description: The application users now can use Passwordless Security Keys for device registration. This is the final step for users to remove passwords User Benefits: The user has all the capabilities to remove usage of the password Security Story: Users now has a method to login without a password on a Security Key 32 Required Components: ● Self-Service Account Registration App ● Self-Service Account Management App ● Self-Service Account Recovery App ● Device Registration App ● Device Management App ● WebAuthn Capable Identity Provider ● Account Datastore ● Administrator Account Registration App ● Administrator Account Management App
  • 33. 6. Passwordless Device Registration 33 Affected Stages of the Account Lifecycle Account Registration Authentication Device Enrollment Account Management Account Recovery Account Removal ● Enable Users to enroll a Security Key during registration ● Enable Users to enroll a platform authenticator during registration ● Allow the user to authenticate with Security Key ● Allow the user to authenticate with the platform authenticator ● Prompt the user to enroll a platform authenticator as appropriate ● Enable users to manage Security Keys on the account ● Enable users to manage devices on their account ● Enable users to disable other methods of authentication ● Enable users to configure attributes for recovery (email address, verified attributes, etc) ● Enable users to recover account with registered attributes ● Enable properly authenticated users to delete their account
  • 34. Key Lessons: ● Migrating from users from a password based authentication to Passwordless requires solving the bootstrapping problem ● Security Keys are purpose built external authenticators for bootstrapping ● We can build great apps that leverage Security Keys and platform authenticators to build excellent and secure deployments today Looking at the journey ahead 34

Editor's Notes

  1. Outline: https://docs.google.com/document/d/1ktM7nHS7xfIt8eSD_8iES6mVkkDmzuTI10v_r3r-bXw/edit
  2. Authentication Nirvana Users have a frictionless secure authentication experience Administrators have the tools to increase friction only as needed Authentication Nirvana does not have Passwords and Usernames to Type in Examples: Sign into Netflix on my TV
  3. Things to Remember Account Lifecycle Phases Account Registration -> Authentication -> Account Management -> Account Recovery -> Account Removal
  4. 4. Key Concepts in the journey a. Account Lifecycle Phases i. Account Registration -> Authentication -> Account Management -> Account Recovery -> Account Removal b. The bootstrapping problem i. How does a credential on a device get created ii. Bootstrapping with passwords vs bootstrapping with FIDO c. Anchored Credentials i. When bootstrapping with FIDO, the credential assurance of the platform authenticator is anchored in the identity assurance of the security key. ii. From an account perspective, the security key is the root of trust d. What is the Root of Trust? i. Definition: Secure bootstrapping mechanism for Platform Authenticators ii. Key Concept: The enrollment process for any of the roots of trust for a given account is the process that must be used for recovery to maintain the identity assurance.
  5. The bootstrapping problem i. How does a credential on a device get created ii. Bootstrapping with passwords vs bootstrapping with FIDO c. Anchored Credentials i. When bootstrapping with FIDO, the credential assurance of the platform authenticator is anchored in the identity assurance of the security key. ii. From an account perspective, the security key is the root of trust d. What is the Root of Trust? i. Definition: Secure bootstrapping mechanism for Platform Authenticators ii. Key Concept: The enrollment process for any of the roots of trust for a given account is the process that must be used for recovery to maintain the identity assurance.
  6. First Create an Account Choose a good user name and password Choose to let someone else be the identity provider for registering attributes or for authenticating users Add Second Factor Allow users to opt-in Allow users to require it Allow users to opt-out of second factor options Add Phishing Resistant Second Factor Add Platform Passwordless Authentication Add External Security Key Passwordless Authentication You have a user identifier, but why do you need to type it? Add Platform Credential Registration Process using External Security Key